LangGraph Deserialization Vulnerability Leads To Remote Code Execution

A high-severity remote code execution (RCE) vulnerability has been disclosed in the LangGraph checkpointing library.

Published by Eugene Yurtsev, a key contributor at LangChain AI, the advisory (GHSA-wwqv-p2pp-99h55) highlights a flaw in the JsonPlusSerializer that could allow attackers to execute arbitrary Python code.

Affecting versions of langgraph-checkpoint below 3.0, this issue underscores the risks of deserialization in untrusted environments.

LangGraph, part of the LangChain ecosystem, enables developers to build stateful, multi-actor applications using large language models.

Its checkpointing feature persists application states across sessions, typically using the JsonPlusSerializer for efficient serialization.

By default, this serializer prefers MessagePack for compact storage. However, in earlier versions, if Unicode surrogate values triggered serialization errors, it would fallback to a “json” mode.

This mode introduced a dangerous constructor-style deserialization (lc=2, type=”constructor”), which reconstructs custom Python objects by invoking functions from specified modules.

Attackers could exploit this by injecting malicious payloads into checkpoints. For instance, a crafted object might reference the “os.system” function with harmful commands, like writing files or running shell scripts.

Deserialization during state loading would then trigger the code, leading to full RCE on the host system.

The vulnerability requires an attacker to influence checkpoint persistence, such as through user-supplied data in collaborative AI apps or shared workflows.

This affects users of langgraph-checkpoint <3.0 who rely on the default serializer and handle untrusted inputs.

Applications processing only trusted data face lower risk, but in production setups like multi-tenant AI services, the threat is significant.

Yurtsev’s proof-of-concept demonstrates the attack: A StateGraph with a malicious dictionary payload, including a constructor for “os.system” echoing a file to /tmp/pwnd.txt, executes upon subsequent invocation.

The PoC uses SqliteSaver to persist the state, showing how a single tainted checkpoint can compromise the system.

LangChain AI patched the issue in langgraph-checkpoint 3.0, released in late 2025. The fix implements an allow-list for constructor paths, restricting deserialization to approved modules, and deprecates the unsafe JSON fallback entirely.

Users can upgrade seamlessly, as the version maintains compatibility with LangGraph 0.3+. For LangGraph API deployments, versions 0.5+ incorporate the fix automatically.

Developers should prioritize updating to mitigate this RCE risk, especially in AI-driven applications where state persistence is common.

Regularly auditing serialization practices and validating inputs remain essential best practices.

This incident reminds the community that even robust libraries like LangGraph demand vigilant security reviews as adoption grows.