7.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-8709

GHSA ID

GHSA-4h97-wpxp-3757

EPSS Score

0.0377%

CWE

CWE-89

Published

10/26/2025

Updated

10/27/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8709

CVE-2025-8709: LangGraph's SQLite store implementation has a SQL Injection Vulnerability

A SQL injection vulnerability exists in the langchain-ai/langgraph repository, specifically in the LangGraph's SQLite store implementation. The affected version is langgraph-checkpoint-sqlite 2.0.10. The vulnerability arises from improper handling of filter operators ($eq, $ne, $gt, $lt, $gte, $lte) where direct string concatenation is used without proper parameterization. This allows attackers to inject arbitrary SQL, leading to unauthorized access to all documents, data exfiltration of sensitive fields such as passwords and API keys, and a complete bypass of application-level security filters.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-8709

CVE-2025-8709:

7.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-8709

GHSA ID

GHSA-4h97-wpxp-3757

EPSS Score

0.0377%

CWE

CWE-89

Published

10/26/2025

Updated

10/27/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
langgraph-checkpoint-sqlite	pip	<= 2.0.10	2.0.11

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch for CVE-2025-8709 reveals a SQL injection vulnerability in the langgraph-checkpoint-sqlite package. The root cause is the improper handling of keys within the filter parameter of the SqliteStore.search method. These keys were used directly in SQL query construction without sanitization.

The patch introduces a new function, _validate_filter_key, which uses a regular expression to allow only safe characters in filter keys. This validation function is then called at the beginning of _get_filter_condition and within the loop of _prepare_batch_search_queries.

The vulnerable functions are identified as:

SqliteStore.search: The public API method that takes the malicious filter object as input.
SqliteStore._prepare_batch_search_queries: This method iterates over the user-provided filter and was modified to validate each key.
SqliteStore._get_filter_condition: This method constructs the SQL WHERE clause and was also modified to validate the key before using it.

An attacker could exploit this by crafting a filter with a malicious key, such as "access') = 'public' OR '1'='1'", to bypass security filters and access or exfiltrate data from the SQLite database.

Vulnerable functions

SqliteStore._get_filter_condition

libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

This function is responsible for creating SQL filter conditions. Before the patch, it used the 'key' argument directly in the construction of the SQL query without any validation or sanitization. This allowed an attacker to inject malicious SQL by providing a specially crafted key in the filter, leading to a SQL injection vulnerability.

SqliteStore._prepare_batch_search_queries

libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

This function iterates through the user-supplied filter criteria to prepare search queries. It extracts the 'key' from the filter and, prior to the patch, passed it to other methods without validation. The addition of `_validate_filter_key(key)` in the patch indicates that this function was a source of the vulnerability by processing unsanitized user input.

SqliteStore.search

libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

This is the public-facing method that serves as the entry point for the vulnerability. It accepts a 'filter' argument from the user, which can contain malicious keys. Although the SQL injection doesn't happen directly in this function, it receives the tainted input and passes it down to internal methods like `_prepare_batch_search_queries` and `_get_filter_condition`, which then construct the malicious SQL query. The exploit is triggered by calling this function.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-8709: LangGraph's SQLite store implementation has a SQL Injection Vulnerability

CVE-2025-8709:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.3

7.3

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-8709: LangGraph's SQLite store implementation has a SQL Injection Vulnerability

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI