Andrew Davies
Back to sources
email newsletterJune 25, 2026

AppSec

Clint Gibler

Open original source

Retained excerpt

AppSec From SQLi to RCE – Exploiting LangGraph’s Checkpointer Checkpoint Research's Yarden Porat describes three vulnerabilities in LangGraph's persistence layer, two of which chain into remote code execution against self-hosted deployments. The chain starts with a SQL injection in the SQLite checkpointer where user-controlled filter input is inserted directly into the database query, letting attackers plant fake rows into the results. Because LangGraph deserializes whatever it reads back from the checkpoint table, the planted row triggers an unsafe msgpack deserialization that imports and calls attacker-controlled Python functions, giving them shell access on the server. A parallel SQL injection introduces the same flaw into the Redis checkpointer. The vulnerabilities require self-hosted LangGraph deployments where the application exposes get_state_history with a user-controlled filter. Introducing Session Switcher. Swap Burp Sessions with One Click! Doyensec's Savino Sisco shares…

This limited excerpt is retained to explain the source trail. Rights remain with the original publisher.

AppSec | Crashboard