CVE-2025-67644

HIGH

langgraph-checkpoint-sqlite < 3.0.1 - SQL Injection via Metadata Filter Key Interpolation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-67644. PoCs published by XiaomingX, mbanyamer.

AI-analyzed exploit summary The repository contains a functional Python exploit demonstrating SQL injection in LangGraph SQLite Checkpoint via unsanitized metadata filter keys. The PoC bypasses filters by injecting SQL fragments into the metadata query, confirming the vulnerability.

Description

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1.

Exploits (2)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-67644

The repository contains a functional Python exploit demonstrating SQL injection in LangGraph SQLite Checkpoint via unsanitized metadata filter keys. The PoC bypasses filters by injecting SQL fragments into the metadata query, confirming the vulnerability.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: langgraph-checkpoint-sqlite < 3.0.1
No auth needed
Prerequisites: Access to the target database file or API exposing the filter parameter
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by mbanyamer · poc
https://github.com/mbanyamer/CVE-2025-67644-LangGraph-3.0.1-SQLite-Checkpoint-SQL-Injection

This repository contains a functional Python exploit demonstrating SQL injection in LangGraph's SQLite checkpoint system via unsanitized metadata filter keys. The PoC shows how to bypass filters and dump all checkpoint records.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: langgraph-checkpoint-sqlite < 3.0.1
No auth needed
Prerequisites: vulnerable version of langgraph-checkpoint-sqlite installed · access to the checkpoint database file
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.3
EPSS 0.0002
EPSS Percentile 6.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (3)
langchain/langgraph-checkpoint-sqlite < 3.0.1
langchain-ai/langgraph < 3.0.1
pypi/langgraph-checkpoint-sqlite 0 - 3.0.1PyPI
Published Dec 11, 2025
Tracked Since Feb 18, 2026