Cyber Resilience

CVE-2025-64439

HighRCE

Published: 07 November 2025

Published
07 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0126 79.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64439 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

Deeper analysis

LangGraph SQLite Checkpoint, an implementation of LangGraph's CheckpointSaver that uses SQLite for both synchronous and asynchronous checkpointing, contains a remote code execution vulnerability in versions 2.1.2 and below. The JsonPlusSerializer, the default serialization protocol, is affected when payloads are deserialized in "json" mode; although the library prefers msgpack serialization, it falls back to json if illegal Unicode surrogate values cause msgpack to fail. This stems from unsafe deserialization behavior classified under CWE-502.

An attacker with the ability to supply or influence checkpoint data saved under the json fallback path can craft malicious payloads that execute arbitrary code upon deserialization. Exploitation requires the victim application to load the tainted checkpoint, which can occur in multi-user or shared persistence scenarios where untrusted inputs reach the serializer.

The vulnerability is addressed in version 3.0.0 of the checkpointer library, as noted in the GitHub security advisory GHSA-wwqv-p2pp-99h5 and the corresponding release and code changes. Upgrading eliminates the unsafe json fallback path for deserialization.

EPSS remains low and unchanged at 0.0126 with no observed rise after disclosure.

EU & UK References

Vulnerability details

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a Remote Code Execution…

more

(RCE) vulnerability when deserializing payloads saved in the "json" serialization mode. By default, the serializer attempts to use "msgpack" for serialization. However, prior to version 3.0 of the checkpointer library, if illegal Unicode surrogate values caused serialization to fail, it would fall back to using the "json" mode. This issue is fixed in version 3.0.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langgraph

Related Threats

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References