Описание
LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore
Summary
LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.
Details
/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py
The key portion of the JSON path is concatenated directly into the SQL string without sanitation. There's a few different occurrences within the file.
Who is affected
This issue affects only developers or projects that directly use the checkpoint-sqlite store.
An application is vulnerable only if it:
- Instantiates the
SqliteStorefrom thecheckpoint-sqlitepackage, and - Builds the
filterargument using keys derived from untrusted or user-supplied input (such as query parameters, request bodies, or other external data).
If filter keys are static or validated/allowlisted before being passed to the store, the risk does not apply.
Note: users of LangSmith deployments (previously known as LangGraph Platform) are not affected as those deployments rely on a different checkpointer implementation.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Пакеты
langgraph-checkpoint-sqlite
<= 2.0.10
2.0.11
Связанные уязвимости
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11.