Skip to content

INTPYTHON-825 LangGraph-Checkpoint CVE fix #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 13, 2025
Merged

INTPYTHON-825 LangGraph-Checkpoint CVE fix #263

merged 5 commits into from
Nov 13, 2025

Conversation

@caseyclements
Copy link
Collaborator

@caseyclements caseyclements commented Nov 13, 2025
edited
Loading

Issue Key

Summary

This PR addresses a critical security vulnerability found in langgraph-checkpoint's serializer, "JsonSerializer". It is described in detail here: RCE in json mode of JsonPlusSerializer.

Changes in this PR

The primary change was to bump to "langggraph-checkpoint >= 3.0".
The base checkpointer removed dumps/loads in preference of typed versions. We had previously only used the defaults so a few changes were made to update to these.

Test Plan

This change does not change any of our API so no changes to tests were made. All pass. INTPYTHON-826 will add tests of the serialization types once we expose them.

Screenshots (optional)

Checklist

Checklist for Author

  • Did you update the changelog (if necessary)?
  • Is the intention of the code captured in relevant tests?
  • Has a MongoDB Employee run the patch build of this PR?

Checklist for Reviewer {@primary_reviewer}

  • Does the title of the PR reference a JIRA Ticket?
  • Do you fully understand the implementation? (Would you be comfortable explaining how this code works to someone else?)
  • Have you checked for spelling & grammar errors?
  • Is all relevant documentation (README or docstring) updated?

@caseyclements
Copy link
Collaborator Author

caseyclements commented Nov 13, 2025

Passing Evergreen Patch Build

blink1073
blink1073 approved these changes Nov 13, 2025
View reviewed changes
Copy link
Collaborator

@blink1073 blink1073 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@caseyclements caseyclements changed the title INTPYTHON-825 LangGraph-Checkpoint CVE bump INTPYTHON-825 LangGraph-Checkpoint CVE fix Nov 13, 2025
@caseyclements caseyclements merged commit 44d4e8f into langchain-ai:main Nov 13, 2025
18 checks passed
@caseyclements caseyclements deleted the INTPYTHON-825-langgraph-cve-bump branch November 13, 2025 01:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blink1073 blink1073 blink1073 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@caseyclements @blink1073