Listen to this Post
The langgraph-sdk Python package (versions ≤ 0.3.14) constructs HTTP request paths for resource operations by directly interpolating caller‑supplied identifier values into URL templates without any sanitization. This unsafe path construction allows identifiers containing URL‑special characters (e.g., /, .., %2e) to alter the final request path, potentially pointing to a different resource—or even a different resource type—than intended by the SDK method.
In typical usage, SDK methods accept identifier parameters (such as thread IDs or assistant IDs) and embed them into path templates like /threads/{thread_id}. When an attacker supplies a value like ../admin/secrets, the resulting path becomes /threads/../admin/secrets, which resolves to `/admin/secrets` on the server. If the server exposes sensitive endpoints under that path, the attacker can access, modify, or delete resources outside their authorized scope.
The risk is highest in two specific deployment patterns:
1. Applications that forward end‑user input directly into SDK identifier parameters without validating against an expected format (e.g., a UUID).
2. Environments that rely on URL‑prefix‑based authorization at an upstream layer (reverse proxy, edge gateway, or WAF), where the authorization decision is made on the intended path rather than the final delivered path. In such setups, the upstream gateway may authorize `/threads/` but the mutated request reaches /admin/secrets, bypassing the check.
The LangGraph server runtime itself is not vulnerable—it simply processes the HTTP request it receives. The flaw resides entirely in the SDK’s path construction logic. There is no evidence of this being exploited in the wild, but the change is a proactive hardening measure.
The fix, released in version 0.3.15, applies path‑segment encoding (percent‑encoding) to all identifier values before interpolation. Characters like `/` become %2F, `..` becomes %2E%2E, and the resulting path remains unambiguous. Applications that already validate identifiers as UUIDs are unaffected, as UUIDs contain only safe characters.
DailyCVE Form:
Platform: ……. Python SDK
Version: …….. 0.3.14 & prior
Vulnerability :…… Path Traversal
Severity: ……. Medium (CVSS 4.2)
date: ………. 2026-06-16
Prediction: ……. Patch released 0.3.15
What Undercode Say:
Analytics – The vulnerability stems from unsafe string interpolation in HTTP path construction. The following analysis can be performed to detect vulnerable usage:
Check installed langgraph-sdk version pip show langgraph-sdk | grep Version Search for SDK method calls that pass unsanitized identifiers grep -r "langgraph_sdk" --include=".py" | grep -E "(threads|assistants|runs)" | grep -v "uuid" Simulate path traversal payload curl -X GET "http://langgraph-server/threads/../admin/config" -H "Authorization: Bearer $TOKEN" Monitor upstream WAF logs for encoded path traversal patterns grep -E "(%2e%2e|../|%2f)" /var/log/waf/access.log
Exploit:
An attacker can craft an identifier value containing path traversal sequences and pass it to any SDK method that accepts an identifier parameter. For example:
from langgraph_sdk import LangGraphClient client = LangGraphClient(endpoint="https://langgraph-server") Malicious thread_id with path traversal thread_id = "../../admin/secrets" The SDK constructs: /threads/../../admin/secrets → /admin/secrets client.threads.get(thread_id=thread_id)
If the server exposes an `/admin/secrets` endpoint and the upstream WAF only authorizes /threads/, the request reaches the administrative endpoint without proper checks, potentially exposing sensitive configuration or data.
Protection:
- Upgrade to langgraph-sdk >= 0.3.15 immediately.
- Validate all identifier inputs against a strict allowlist (e.g., UUID regex
[0-9a-f]{8}-...) before passing them to SDK methods. - Avoid relying solely on URL‑prefix‑based authorization upstream; enforce authorization at the LangGraph server layer or on parsed, validated paths.
- Deploy a WAF rule to block requests containing
../,%2e%2e, or encoded path traversal sequences.
Impact:
- Confidentiality – Unauthorized disclosure of resource content (e.g., secrets, thread data, assistant configurations).
- Integrity – Unauthorized modification or deletion of resources beyond the caller’s权限.
- Authorization Bypass – Upstream prefix‑based authorization decisions can diverge from the final delivered path, allowing attackers to reach restricted endpoints.
- Resource Type Confusion – SDK methods intended for one resource type (e.g., threads) may inadvertently operate on a different resource type (e.g., admin endpoints).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
