Description
@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: 3.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The @langchain/langgraph-checkpoint-redis package incorporates user-supplied filter keys and values directly into RediSearch queries without proper escaping. Because RediSearch includes special syntax characters that control query logic, an attacker can craft a filter key or value containing these characters to alter the query’s evaluation. The flaw can therefore allow the attacker to read data they should not access, compromising confidentiality. The weakness is a classic example of query injection (CWE-74).

Affected Systems

This vulnerability affects all releases of langchain-ai:langgraphjs's @langchain/langgraph-checkpoint-redis component earlier than version 1.0.2. Deployments that use the RedisSaver or ShallowRedisSaver classes with user-controlled filter parameters are vulnerable. The issue exists in the Redis checkpoint implementation that relies on RediSearch for indexing and querying.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of 4% suggests a modest probability of exploitation in the wild. The vulnerability is not yet cataloged as a known exploited vulnerability (not in KEV). Exploitation would require the attacker to supply a crafted filter payload through the application's interface that forwards filter keys and values to the package. The likely attack vector is through user input passed to RedisSaver or ShallowRedisSaver; based on the description, it is inferred that the attacker would supply the filter payload via the application's API calling these classes.

Generated by OpenCVE AI on June 18, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @langchain/langgraph-checkpoint-redis package to version 1.0.2 or later to apply the vendor patch that escapes filter inputs.
  • Implement input validation for all user-supplied filter keys and values before they are combined into RediSearch queries, ensuring that only allowed characters or whitelisted patterns are accepted to mitigate CWE-74 injection.
  • If an immediate update is not possible, sanitize all filter keys and values by escaping RediSearch's special syntax characters to prevent unintended query manipulation until a patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5mx2-w598-339m RediSearch Query Injection in @langchain/langgraph-checkpoint-redis
History

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langgraphjs
Vendors & Products Langchain-ai
Langchain-ai langgraphjs

Fri, 20 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description @langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2.
Title RediSearch Query Injection in @langchain/langgraph-checkpoint-redis
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Langchain-ai Langgraphjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:33:25.127Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27022

cve-icon Vulnrichment

Updated: 2026-02-24T18:33:16.867Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T22:16:28.480

Modified: 2026-06-17T10:26:34.403

Link: CVE-2026-27022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:00:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')