Bugs
Arbitrary code execution (e.g., os.system('echo pwnd > /tmp/pwnd.txt')) during graph.invoke() or checkpoint load when processing malicious checkpoint containing surrogate-triggered JSON payload with constructor like {\"lc\":2,\"type\":\"constructor\",\"id\":[\"os\",\"system\"],\"kwargs\":{\"command\":\"...\"}}. No explicit error; silent RCE. Affects apps persisting untrusted data with default/explicit JsonPlusSerializer. [GHSA-wwqv-p2pp-99h5](https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5)

high severityLangGraph checkpoint (langgraph-checkpoint < 3.0)

Arbitrary code execution (e.g., os.system('echo pwnd > /tmp/pwnd.txt')) during graph.invoke() or checkpoint load when processing malicious checkpoint containing surrogate-triggered JSON payload with constructor like {\"lc\":2,\"type\":\"constructor\",\"id\":[\"os\",\"system\"],\"kwargs\":{\"command\":\"...\"}}. No explicit error; silent RCE. Affects apps persisting untrusted data with default/explicit JsonPlusSerializer. [GHSA-wwqv-p2pp-99h5](https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5)

Root cause

JsonPlusSerializer (default for checkpointing) falls back to unsafe 'json' mode (lc=2, type='constructor') on msgpack failure (e.g., illegal Unicode surrogates like \\ud800). This mode allows arbitrary Python object reconstruction via constructor format, enabling execution of functions like os.system during deserialization of untrusted payloads. [GHSA-wwqv-p2pp-99h5](https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5)

langgraph-checkpointJsonPlusSerializerdeserializationRCECVE-2025-64439CWE-502picklemsgpack

Citations

https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5