CVE-2025-64439
Published: 07 November 2025
Summary
CVE-2025-64439 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
Deeper analysis
LangGraph SQLite Checkpoint, an implementation of LangGraph's CheckpointSaver that uses SQLite for both synchronous and asynchronous checkpointing, contains a remote code execution vulnerability in versions 2.1.2 and below. The JsonPlusSerializer, the default serialization protocol, is affected when payloads are deserialized in "json" mode; although the library prefers msgpack serialization, it falls back to json if illegal Unicode surrogate values cause msgpack to fail. This stems from unsafe deserialization behavior classified under CWE-502.
An attacker with the ability to supply or influence checkpoint data saved under the json fallback path can craft malicious payloads that execute arbitrary code upon deserialization. Exploitation requires the victim application to load the tainted checkpoint, which can occur in multi-user or shared persistence scenarios where untrusted inputs reach the serializer.
The vulnerability is addressed in version 3.0.0 of the checkpointer library, as noted in the GitHub security advisory GHSA-wwqv-p2pp-99h5 and the corresponding release and code changes. Upgrading eliminates the unsafe json fallback path for deserialization.
EPSS remains low and unchanged at 0.0126 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37934
Vulnerability details
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a Remote Code Execution…
more
(RCE) vulnerability when deserializing payloads saved in the "json" serialization mode. By default, the serializer attempts to use "msgpack" for serialization. However, prior to version 3.0 of the checkpointer library, if illegal Unicode surrogate values caused serialization to fail, it would fall back to using the "json" mode. This issue is fixed in version 3.0.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langgraph
Related Threats
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.