js · @langchain/langgraph-checkpoint-mongodbHeads-up
@langchain/langgraph-checkpoint-mongodb NoSQL injection vulnerability fixed in 1.3.1
A NoSQL injection vulnerability in MongoDBSaver where checkpoint identifier fields from config.
What changed
A NoSQL injection vulnerability in MongoDBSaver where checkpoint identifier fields from config.configurable were used in MongoDB queries without strict type enforcement. Fixed in version 1.3.1 by adding runtime validation for configurable checkpoint identifiers.
Who it affects
Applications using @langchain/langgraph-checkpoint-mongodb with multi-tenant or user-isolated thread models that accept user-controlled values for thread_id, checkpoint_ns, or checkpoint_id and pass them into app.invoke(), app.stream(), or direct saver methods without validation.
What to do today
Upgrade to @langchain/[email protected] or later and validate identifier fields at API boundaries.
The trail
Collected→
Audited→
Written→
Published