CVE-2025-64439: RCE Flaw Detected in LangGraph: Agent Orchestration Framework at Risk

The LangGraph project, a powerful, low-level orchestration framework trusted by major tech companies for building stateful AI agents, has issued a high-severity security advisory for a Remote Code Execution (RCE) vulnerability. The flaw, tracked as CVE-2025-64439 (CVSS 7.4), resides in the JsonPlusSerializer component and can allow an attacker to execute arbitrary Python code on affected systems.

Given LangGraph’s role in managing complex, long-running agent workflows, and its impressive 20 million monthly downloads, this vulnerability poses a significant risk to applications using it for persistence.

At the heart of the issue lies a dangerous fallback mechanism in the LangGraph checkpoint serializer. By default, LangGraph attempts to use MessagePack (msgpack) for serialization. However, in versions prior to 3.0, if certain illegal Unicode surrogate values caused serialization to fail, the system would fall back to a “json” mode.

The danger lies in how the “json” mode deserializer handled custom objects. It supported a constructor-style format—defined by lc == 2 and type == “constructor”—to allow custom Python objects to be rebuilt during deserialization. An attacker could exploit this feature to execute arbitrary Python code.

“When operating in this mode, the deserializer supports a constructor-style format… If an attacker is able to trigger this mode with a malicious payload, deserializing allows the attacker to execute arbitrary functions upon load,” the advisory explains.

In essence, if an application accepted untrusted data into its checkpointing system, an attacker could craft a malicious payload that executes arbitrary commands with the same privileges as the running process. This could lead to full remote code execution in environments where LangGraph is integrated into production agents or backend services.

The vulnerability affects all users of the langgraph-checkpoint library versions earlier than 3.0.

Users are considered most at risk if they meet both of the following conditions:

• They “Allow untrusted or user-supplied data to be persisted into checkpoints”.
• They “Use the default serializer (or explicitly instantiate JsonPlusSerializer) that may fall back to ‘json’ mode”.

If an application only processes trusted data or does not allow untrusted checkpoint writes, the practical risk is reduced.

The LangGraph team has released a fix in version 3.0 of the langgraph-checkpoint library. All users are strongly advised to upgrade immediately.

The patch resolves the issue by preventing the deserialization of custom objects saved in the vulnerable “json” mode. Users deploying via langgraph-api are free of this vulnerability if they are using any version 0.5 or later.

Related Posts:

• CheckPoint: PDF files can be used to steal Windows credentials
• Phishing-Resistant No More? New Attack Bypasses FIDO Passkeys with Downgrade Trick
• Critical EoP Flaw in Microsoft’s Remote Registry: Researcher Publishes PoC for CVE-2024-43532
• WikiKit Phishing Kit Targets Major Industries with Evasive Techniques
• Critical RCE Flaw in Apache Fory’s Python Module (CVE-2025-61622)