{"data":{"id":"08ad94e2-e94b-4f60-b105-58f83cccd2c2","title":"GHSA-g48c-2wqr-h844: LangGraph checkpoint loading has unsafe msgpack deserialization","summary":"LangGraph has a vulnerability where checkpoints stored using msgpack (a serialization format for encoding data) can be unsafe if an attacker gains write access to the checkpoint storage (like a database). When the application loads a checkpoint, unsafe code could be executed if an attacker crafted a malicious payload. This is a post-compromise risk that requires the attacker to already have privileged access to the storage system.","solution":"LangGraph provides several mitigation options: (1) Set the environment variable `LANGGRAPH_STRICT_MSGPACK` to a truthy value (`1`, `true`, or `yes`) to enable strict mode, which blocks unsafe object types by default. (2) Configure `allowed_msgpack_modules` in your serializer or checkpointer to `None` (strict mode, only safe types allowed), a custom allowlist of specific modules and classes like `[(module, class_name), ...]`, or `True` (the default, allows all types but logs warnings). (3) When compiling a `StateGraph` with `LANGGRAPH_STRICT_MSGPACK` enabled, LangGraph automatically derives an allowlist from the graph's schemas and channels and applies it to the checkpointer.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-g48c-2wqr-h844","publishedAt":"2026-03-05T20:19:49.000Z","cveId":"CVE-2026-28277","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["langgraph@<= 1.0.9"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangGraph"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00021,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}