A severe vulnerability identified as CVE-2025-64439 affects LangGraph’s checkpoint serialization system, specifically the JsonPlusSerializer used for checkpoint persistence. This flaw poses a critical impact, with a CVSS score of 8.5, categorized under CWE-502, the deserialization of untrusted data vulnerabilities. The issue allows attackers to execute arbitrary Python code by exploiting the deserialization process when untrusted data is handled.
This vulnerability particularly endangers applications using the default JsonPlusSerializer as it allows for the creation of malicious payloads. With the potential for code execution upon loading the compromised checkpoint, this highlights the importance of user-supplied data management. The release of langgraph-checkpoint version 3.0 includes crucial fixes such as an allow-list for constructor deserialization, limiting the paths that can be invoked and deprecated unsafe mechanisms to enhance security. It is recommended that users upgrade promptly to ensure their applications are protected against this exploit.
👉 Pročitaj original: Cyber Security News
