Description
A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package’s filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping.
Recommendation
Update the @langchain/langgraph-checkpoint-redis package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.2
- Patched version(s): 1.0.2
References
Related Issues
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Undici has CRLF Injection in undici via `upgrade` option - CVE-2026-1527
- Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
- Tags:
- npm
- @langchain/langgraph-checkpoint-redis
Anything's wrong? Let us know Last updated on February 23, 2026