Back to Blog

When Checkpoints Turn Into Code Execution: How Apex Would Unwind LangGraph's Deserialization Trap

When Checkpoints Turn Into Code Execution: How Apex Would Unwind LangGraph's Deserialization Trap

Unsafe deserialization is common enough that most teams think they know what the story will be before they read the advisory. That is what makes the LangGraph checkpoint bug more interesting than its headline.

According to CVE-2025-64439 / GHSA-wwqv-p2pp-99h5, versions of LangGraph before 3.0.0 can deserialize attacker-controlled data into arbitrary code execution when JsonPlusSerializer falls back from msgpack to json and reconstructs specially crafted payloads. The patch in c5744f5 closes that path.

The fallback detail is the entire story. The interesting question is not whether the application serializes data. It is whether the serializer changes its assumptions under error or compatibility conditions and then reloads that downgraded representation through a more dangerous reconstruction path.

That is exactly the kind of issue Apex should be built to catch. It is conditional, cross-cutting, and easy to overstate if you only look at the advisory in isolation.

The Real Vulnerability Lives In The State Transition

The dangerous path here is not simply “save state, then load state.” It is a state transition with a change in security model:

  1. graph state is serialized
  2. the serializer falls back from msgpack to json
  3. attacker-influenced content is preserved in the fallback form
  4. a later load path reconstructs objects from data that now carries more power than the system intended

That is a different story from the generic deserialization warning most teams are used to seeing. The failure is not only in reconstruction. The failure is in treating a fallback representation as operationally equivalent to the preferred representation.

This is why compatibility and “just make it work” logic is such fertile ground for security bugs. It is where otherwise mature systems relax invariants without explicitly acknowledging they are doing so.

A Useful Mental Model: Two Serializers, Two Trust Contracts

Engineers often read “msgpack vs json” as an implementation detail. For security, it is better to read it as a trust contract.

  • The primary path (msgpack) tends to be treated as “structured data.”
  • The recovery path (json), when paired with permissive reconstruction, can act more like a “programming language,” because it may encode types, constructors, or richer object graphs.

If fallback logic preserves “enough shape” to later reconstruct rich objects, it can accidentally preserve capability, not just state. At that point, a checkpoint stops being a passive record and becomes a vehicle for executing behavior during rehydration.

The Real Question: Where Does Checkpoint Data Come From?

The right way to reason about this bug is not “does the dependency have a CVE?” It is “can attacker-influenced data enter a checkpoint, survive persistence, and later re-enter the runtime via the vulnerable load path?”

Checkpointed state commonly includes:

  • User prompts and chat history.
  • Tool outputs from HTTP calls, database queries, or scraping.
  • Remote documents loaded into context (PDF, HTML, markdown).
  • Model outputs, which are untrusted in the same way user inputs are.
  • System annotations such as routing decisions, tool arguments, or structured scratch state.

The nuance is that these inputs have different controls around them. A system might sanitize web content but not model output. It might isolate user prompts but share tool outputs across runs. It might store checkpoints per session but allow “resume from checkpoint” across users.

If you want a crisp, defensible take, the post should make one thing explicit: the serializer vulnerability only becomes exploitable when untrusted content crosses a persistence boundary and later gets treated as trusted during reload.

Exploitability Hinges On Replay And Isolation

To make this concrete, think in terms of boundaries and replay mechanics:

  • Scope: Are checkpoints per user, per tenant, or global?
  • Lifecycle: Are checkpoints written and reloaded automatically, or only manually?
  • Replay: Can a checkpoint created in one context be replayed in another execution context?
  • Origin: Can a user influence the checkpoint contents indirectly, such as through tool-driven fetching or shared caches?

The scary operational scenarios usually involve one of these shapes:

  • Cross-user replay: A user can cause a checkpoint to be stored, and another user later resumes from it.
  • Shared worker / queue resume: A background worker resumes checkpoints created by many requestors.
  • Warm-start / “resume last run”: The system resumes a prior run without revalidating the checkpoint provenance.

If none of these are true, the issue can still be “real” but not operationally meaningful. If any of them are true, this stops being a theoretical deserialization pitfall and becomes a concrete multi-tenant boundary problem.

What Apex Would Need To Prove (And How)

Apex should approach this as a reachability problem, not a checklist problem.

Step 1: Confirm LangGraph + checkpointing are actually in play

  • Is LangGraph used directly, or is it a transitive dependency never invoked?
  • Are checkpoints enabled, and if so, which checkpointer implementation is used?
  • Where is the serializer chosen and passed around?

Step 2: Find the fallback path and the reconstruction sink

The key is demonstrating both:

  • a path that triggers fallback from msgpack to json under realistic conditions, and
  • a later path that rehydrates objects from the fallback representation.

This is where static analysis alone is rarely enough. You need call-graph + configuration resolution + error-handling analysis. The vulnerability is in the interaction.

Step 3: Track attacker influence through the graph state

Apex’s value is that it can connect:

  • the sources of data that enter state (prompt, tool output, document loader)
  • where that state gets stored (disk, blob store, redis)
  • how it gets reloaded (resume, retry, recovery)
  • whether any consumer treats rehydrated objects as trusted

This yields a materially better output than a scanner: it can say “this repo uses LangGraph < 3.0.0” and “user-controlled fields can reach checkpoint persistence and later hit the vulnerable reconstruction path.”

What The Patch Tells Us (And What It Should Teach)

The patch in c5744f5 matters because it is a design correction, not only a tactical guard. Even without spelunking the entire diff, the public description of the fix points to two shifts worth emphasizing:

  • Constructor reconstruction becomes constrained rather than permissive.
  • Fallback behavior is narrowed so “recovery” does not silently expand the attack surface.

That is a useful framing for the final post because it makes the lesson general.

When teams talk about resilient systems, they often mean availability. This advisory is a reminder that resilience logic can also weaken security when the fallback path does not preserve the same invariants as the primary path.

Why This Is Better Than A Generic “RCE” Post

Engineers already know that unsafe deserialization is bad. What is easy to miss is the specific pattern:

  • The primary path is designed with certain invariants.
  • The fallback path is designed to keep things running.
  • The system later treats the fallback artifact as equivalent to the primary artifact.

That equivalence assumption is what breaks.

A good post should make the reader come away with a reusable question:

If this component falls back to a less strict representation, does the reload path reintroduce power that the primary path would have denied?

Get in Touch

This is a strong example of how dangerous bugs hide in non-primary code paths. Teams spend most of their time reasoning about the happy path. Attackers do not.

Apex is most compelling when it catches issues like this: not a trivial bad API call, but a broken invariant created by the system’s attempt to stay flexible under failure or compatibility pressure.