LangGraph SQLite Checkpoint Unsafe Msgpack Deserialization Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in LangGraph SQLite Checkpoint versions through 1.0.9, where the checkpoint loading process can be exploited to execute arbitrary code. This issue arises because LangGraph checkpointers deserialize msgpack-encoded data that can reconstruct Python objects. If an attacker gains privileged write access to the checkpoint data store, they could inject a crafted payload that triggers unsafe object reconstruction during deserialization. While no evidence suggests this vulnerability is actively exploited, it poses a significant risk by potentially escalating a compromised checkpoint store into code execution within the application runtime, where sensitive environment variables or cloud credentials could be exposed.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution or other harmful effects during the deserialization of checkpoints. It allows an attacker to escalate from having write access to the checkpoint store to executing code in the application's runtime, potentially exposing runtime secrets or accessing other systems reachable from the runtime.

Remediation

Users can enable strict mode in LangGraph by setting the environment variable 'LANGGRAPH_STRICT_MSGPACK' to a truthy value. This change will make the msgpack deserialization policy more secure by blocking unsafe types and only allowing a built-in safe set to be reconstructed. Additionally, LangGraph provides an allowlist mechanism to control which msgpack 'ext' types can be deserialized, allowing for further customization of the deserialization process.