CVE-2025-64439 is a high-severity insecure deserialization vulnerability in langgraph-checkpoint (pip), affecting versions < 3.0.0. It is fixed in 3.0.0.
Summary Prior to langgraph-checkpoint version 3.0 , LangGraph’s JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a remote code execution (RCE) vulnerability when deserializing payloads saved in the "json" serialization mode. If an attacker can cause your application to persist a payload serialized in this mode, they may be able to also send malicious content that executes arbitrary Python code during deserialization. Upgrading to version langgraph-checkpoint 3.0 patches this vulnerability by preventing deserialization of custom objects saved in this mode. If you are deploying in langgraph-api, any version 0.5 or later is also free of this vulnerability. Details Affected file / component jsonplus.py By default, the serializer attempts to use "msgpack" for serialization. However, prior to version 3.0 of the checkpointer library, if illegal Unicode surrogate values caused serialization to fail, it would fall back to using the "json" mode. When operating in this mode, the deserializer supports a constructor-style format (lc == 2, type == "constructor") for custom objects to allow them to be reconstructed at load time. If an attacker is able to trigger this mode with a malicious payload, deserializing allow the attacker to execute arbitrary functions upon load. Who is affected This issue affects all users of langgraph-checkpoint versions earlier than 3.0 who: Allow untrusted or user-supplied data to be persisted into checkpoints, and Use the default serializer (or explicitly instantiate JsonPlusSerializer) that may fall back to "json" mode. If your application only processes trusted data or does not allow untrusted checkpoint writes, the practical risk is reduced. Proof of Concept (PoC) Running this PoC writes a file /tmp/pwnd.txt to disk, demonstrating code execution. Internally, this exploits the following code path: Fixed Version The vulnerability is fixed in langgraph-checkpoint==3.0.0 Release link: https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D3.0.0 Fix Description The fix introduces an allow-list for constructor deserialization, restricting permissible "id" paths to explicitly approved module/class combinations provided at serializer construction. Additionally, saving payloads in "json" format has been deprecated to remove this unsafe fallback path. Mitigation Upgrade immediately to langgraph-checkpoint==3.0.0. This version is fully compatible with langgraph>=0.3 and does not require any import changes or code modifications. In langgraph-api, updating to 0.5 or later will automatically require the patched version of the checkpointer library.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
pip
langgraph-checkpoint (< 3.0.0)langgraph-checkpoint → 3.0.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2025-64439 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2025-64439 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2025-64439 in your environment →Upgrade langgraph-checkpoint to 3.0.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2025-64439 is a high-severity insecure deserialization vulnerability in langgraph-checkpoint (pip), affecting versions < 3.0.0. It is fixed in 3.0.0. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
langgraph-checkpoint (pip) versions < 3.0.0 is affected.
Yes. CVE-2025-64439 is fixed in 3.0.0. Upgrade to this version or later.
Whether CVE-2025-64439 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade langgraph-checkpoint to 3.0.0 or later.