GHSA-fjqc-hq36-qh5p: LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading
Summary
LangGraph's `JsonPlusSerializer` (a tool that converts JSON data back into Python objects) has a vulnerability where checkpoint files (saved states of an AI workflow) stored insecurely could be modified by attackers and cause arbitrary code execution (running attacker-chosen commands) when the checkpoint is loaded. This risk only applies if someone gains unauthorized write access to where checkpoints are stored, but the concern is converting that storage access into full control of the running application.
Solution / Mitigation
The JSON deserialization path has been narrowed so that revival is restricted to default-constructor reconstruction using the args/kwargs carried in the payload. The framework's own encoder has not relied on the removed behavior for produced checkpoints since the msgpack migration, so this change does not affect freshly written checkpoints. Additionally, treat checkpoint stores as integrity-sensitive by restricting write access and rotating credentials if unauthorized access is suspected, and avoid providing custom JSON revival hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.
Vulnerability Details
EPSS: 0.2%
Yes
June 25, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-fjqc-hq36-qh5p
First tracked: June 25, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%