PT-2026-21300 · Langchain · @Langchain/Langgraph-Checkpoint-Redis
Yardenporat353
·
Published
2026-02-18
·
Updated
2026-03-19
·
CVE-2026-27022
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
@langchain/langgraph-checkpoint-redis versions prior to 1.0.2
Description
A query injection issue exists in the RedisSaver and ShallowRedisSaver classes of the @langchain/langgraph-checkpoint-redis package. These classes build RediSearch queries by directly incorporating user-supplied filter keys and values without sufficient sanitization. RediSearch utilizes special characters that can alter query behavior. When user-controlled data includes these characters, the query logic can be manipulated, potentially bypassing intended access controls. The vulnerability occurs due to the direct interpolation of user-provided filter keys and values into RediSearch queries without proper escaping.
Recommendations
Update to version 1.0.2 or later.
Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Langchain/Langgraph-Checkpoint-Redis