LangGraph JsonPlusSerializer Remote Code Execution Vulnerability in SQLite Checkpoint

A remote code execution vulnerability has been identified in the LangGraph library, specifically within the JsonPlusSerializer component used for checkpointing. This issue is present in versions through 2.1.2. The vulnerability arises when the serializer deserializes payloads saved in the 'json' mode, which is a fallback for certain serialization errors. Exploitation occurs if an attacker can manipulate the application to save a malicious payload in this format, leading to the execution of arbitrary Python code during deserialization.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected LangGraph application is running.

Reproduction

The vulnerability can be reproduced by creating a checkpoint using the SqliteSaver, and then invoking a malicious payload that exploits the deserialization process of the JsonPlusSerializer. The payload must be crafted to include a constructor-style format that the deserializer will execute, such as a command to be run on the system.

Remediation

Users are advised to upgrade to LangGraph version 3.0.0 or later, which includes a patch for this vulnerability by restricting the deserialization of custom objects saved in the 'json' mode. In 'langgraph-api', any version 0.5 or later is also free of this vulnerability.