AppSec
Clint Gibler
Open original sourceRetained excerpt
AppSec From SQLi to RCE – Exploiting LangGraph’s Checkpointer Checkpoint Research's Yarden Porat describes three vulnerabilities in LangGraph's persistence layer, two of which chain into remote code execution against self-hosted deployments. The chain starts with a SQL injection in the SQLite checkpointer where user-controlled filter input is inserted directly into the database query, letting attackers plant fake rows into the results. Because LangGraph deserializes whatever it reads back from the checkpoint table, the planted row triggers an unsafe msgpack deserialization that imports and calls attacker-controlled Python functions, giving them shell access on the server. A parallel SQL injection introduces the same flaw into the Redis checkpointer. The vulnerabilities require self-hosted LangGraph deployments where the application exposes get_state_history with a user-controlled filter. Introducing Session Switcher. Swap Burp Sessions with One Click! Doyensec's Savino Sisco shares…
This limited excerpt is retained to explain the source trail. Rights remain with the original publisher.