GHSA-g48c-2wqr-h844: LangGraph checkpoint loading has unsafe msgpack deserialization
Summary
LangGraph has a vulnerability where checkpoints stored using msgpack (a serialization format for encoding data) can be unsafe if an attacker gains write access to the checkpoint storage (like a database). When the application loads a checkpoint, unsafe code could be executed if an attacker crafted a malicious payload. This is a post-compromise risk that requires the attacker to already have privileged access to the storage system.
Solution / Mitigation
LangGraph provides several mitigation options: (1) Set the environment variable `LANGGRAPH_STRICT_MSGPACK` to a truthy value (`1`, `true`, or `yes`) to enable strict mode, which blocks unsafe object types by default. (2) Configure `allowed_msgpack_modules` in your serializer or checkpointer to `None` (strict mode, only safe types allowed), a custom allowlist of specific modules and classes like `[(module, class_name), ...]`, or `True` (the default, allows all types but logs warnings). (3) When compiling a `StateGraph` with `LANGGRAPH_STRICT_MSGPACK` enabled, LangGraph automatically derives an allowlist from the graph's schemas and channels and applies it to the checkpointer.
Vulnerability Details
EPSS: 0.0%
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-g48c-2wqr-h844
First tracked: March 5, 2026 at 07:00 PM
Classified by LLM (prompt v3) · confidence: 95%