Key Information Vulnerability Overview Vulnerability Type: SQL Injection Affected Versions: <=2.0.10 Fixed Version: 2.0.11 CVE ID: CVE-2025-64104 CVSS v3 Base Metrics: - Severity: High (7.3/10) - Attack Vector: Local - Attack Complexity: Low - Required Privileges: Low - User Interaction: None - Scope: Changed - Confidentiality: High - Integrity: Low - Availability: None Affected Scope Affected Package: langgraph-checkpoint-sqlite (pip) Affected Users: Developers or projects directly using storage Vulnerability Details Description: An SQL injection vulnerability exists in LangGraph’s SQLite storage implementation due to direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. Critical Code Snippet: Exploitation Conditions The application is vulnerable only if: 1. An instance of is created. 2. The parameter is constructed using untrusted or user-supplied input (e.g., query parameters, request body, or other external data). PoC (Proof of Concept) A complete code example is provided, including specific configuration details, to reproduce the vulnerability.