CVE-2025-64104: LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

October 29, 2025

LangGraph’s SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.

References

github.com/advisories/GHSA-7p73-8jqx-23r8
github.com/langchain-ai/langgraph
github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4
github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8
nvd.nist.gov/vuln/detail/CVE-2025-64104

Code Behaviors & Features

Detect and mitigate CVE-2025-64104 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →