High severityNVD Advisory· Published Dec 10, 2025· Updated Dec 11, 2025
LangGraph SQLite Checkpoint is vulnerable to SQL Injection via metadata filter key in checkpointer list method
CVE-2025-67644
Description
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langgraph-checkpoint-sqlitePyPI | < 3.0.1 | 3.0.1 |
Affected products
2- Range: < 3.0.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9rwj-6rc7-p77cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67644ghsaADVISORY
- github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2aghsax_refsource_MISCWEB
- github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77cghsax_refsource_CONFIRMWEB
News mentions
3- Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server ControlCyber Security News · Jun 12, 2026
- LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code ExecutionThe Hacker News · Jun 12, 2026
- From SQLi to RCE – Exploiting LangGraph’s CheckpointerCheck Point Research · Jun 11, 2026