Red Specter CHECKPOINT — Agent State Persistence Exploitation Engine

LangGraph TOCTOU human-approval bypass CVE-2026-28277 / SQLite msgpack deserialization RCE CVE-2025-64439 / Cross-tenant thread_id enumeration / S3 checkpoint replacement mid-execution / Redis LPUSH checkpoint injection / Human sees transfer — agent executes different amount / Time-travel replay attacks / State persistence across security boundaries / Checkpoint stores hold full agent context LangGraph TOCTOU human-approval bypass CVE-2026-28277 / SQLite msgpack deserialization RCE CVE-2025-64439 / Cross-tenant thread_id enumeration / S3 checkpoint replacement mid-execution / Redis LPUSH checkpoint injection / Human sees transfer — agent executes different amount / Time-travel replay attacks / State persistence across security boundaries / Checkpoint stores hold full agent context

The Problem

Agent Checkpoints Are Trusted Unconditionally — They Shouldn't Be

LangGraph, AutoGen, and every other agent framework that supports human-in-the-loop control relies on checkpointing: save state, wait for approval, resume. The assumption is that the state you saved is the state you resume. That assumption is wrong. CHECKPOINT exploits the gap between human approval and agent execution — across SQLite, Redis, S3, and in-memory stores.

LangGraph TOCTOU Human-Approval Bypass

LangGraph interrupt() saves state then waits for human approval. Between save and resume, an attacker modifies the checkpoint. Human approved $500 transfer — agent executes $50,000. The approval is detached from execution.

CVE-2026-28277 TOCTOU LANGGRAPH

SQLite msgpack Deserialization RCE

LangGraph SQLite checkpointer deserialises msgpack payloads without schema validation. Crafted checkpoint triggers arbitrary code execution on the agent host at resume time. Full RCE from a checkpoint file.

CVE-2025-64439 DESERIALIZATION RCE

Cross-Tenant Thread ID Enumeration

LangGraph thread_id values are sequential integers. An attacker with one valid thread_id enumerates adjacent threads, accessing other users' agent state including conversation history, credentials cached in context, and pending tool calls.

IDOR THREAD ENUM DATA EXFIL

S3 Checkpoint Replacement

Cloud-hosted agents checkpoint to S3. S3 bucket misconfiguration (public write, overly permissive IAM) allows an attacker to replace a checkpoint mid-execution. Agent resumes from attacker-controlled state.

S3 MID-EXECUTION STATE REPLACEMENT

Redis LPUSH Injection

Redis-backed checkpoint stores accept arbitrary writes if ACLs are misconfigured. CHECKPOINT injects malicious state entries that the agent loads at next resume, redirecting tool calls and goal state.

REDIS LPUSH GOAL HIJACK

Time-Travel Replay

Checkpointed state snapshots can be replayed to rewind agent execution to a prior decision point. Attacker replays from a checkpoint preceding a security check that has since passed, re-executing privileged operations.

REPLAY TIME-TRAVEL PRIVILEGE REPLAY

7 Subsystems

From Enumeration to Persistent Implant

Seven subsystems cover every phase of checkpoint exploitation: passive enumeration of the attack surface, TOCTOU injection through the approval window, deserialization RCE via crafted msgpack payloads, time-travel replay, cross-tenant state extraction, persistent goal-drift implants, and signed WARLORD-compatible reporting.

SURVEY

Enumerates checkpoint stores — SQLite databases, Redis instances, S3 buckets, and in-memory stores. Maps thread IDs, checkpoint timestamps, agent identities, and state schemas. Produces prioritised attack surface for subsequent subsystems.

PASSIVE — ANALYSIS

INJECT

Exploits the LangGraph TOCTOU window (CVE-2026-28277). Modifies checkpoint state between human interrupt() and agent resume. Substitutes tool call parameters, goal directives, and approval values. The human approved a checkpoint the agent never sees.

UNLEASHED --override

SURGERY

Weaponises CVE-2025-64439. Crafts malicious msgpack payloads that execute arbitrary code on the agent host when the SQLite checkpointer deserialises at resume. Full RCE from a checkpoint file.

UNLEASHED --override

REPLAY

Captures valid checkpoint state and replays it to rewind agent execution to a prior decision point. Bypasses security checks that passed after the captured checkpoint. Re-executes privileged operations from a clean state the agent trusts.

UNLEASHED --override

CROSS

Enumerates adjacent thread_id values from a single known ID. Extracts state from co-tenant agent sessions — conversation history, cached credentials, pending tool calls, and goal state of other users' agents.

PASSIVE + ACTIVE

PERSIST

Establishes persistent presence in the checkpoint store. Injects state entries that survive agent restart. Embeds goal-drift directives that accumulate over multiple checkpoints, gradually redirecting agent behaviour.

UNLEASHED --override --confirm-destroy

REPORT

Ed25519-signed, SHA-256-hashed reports. JSON (WARLORD-compatible) and Markdown. CVE mapping, thread enumeration results, injection parameters, and WARLORD handoff receipt.

ALL MODES

Scan Mode

Standard Scan. Then Unleashed.

Standard mode — SURVEY + CROSS (read-only) + REPORT:

$ checkpoint-tool survey --target https://agent.example.com

[SURVEY] Enumerating checkpoint stores...
  SQLite: agent.db — 47 checkpoints found
  Thread IDs: sequential integers detected (100–146) — THREAD-ENUM-001
  Redis: :6379 — ACL misconfiguration — write permitted
  S3: agent-checkpoints-prod — public write detected
[CROSS] Enumerating adjacent threads from ID 100...
  41 adjacent threads accessible — conversation history, cached credentials extracted
[REPORT] Generating signed report...
  Findings: 3 CRITICAL, 2 HIGH, 1 MEDIUM
  CVEs: CVE-2026-28277, CVE-2025-64439
SCAN COMPLETE | Signed ✓ | WARLORD-compatible JSON output
  JSON: reports/checkpoint-survey-2026-04-24.json
  MD: reports/checkpoint-survey-2026-04-24.md

UNLEASHED mode — all attack subsystems. Requires Ed25519 key + signed scope:

$ checkpoint-tool inject --target https://agent.example.com --thread-id 142 --override

TOCTOU Exploitation

Targets the race window between LangGraph interrupt() and resume(). Substitutes approval values, tool parameters, and goal directives inside the window.

Deserialization RCE

Crafts malicious msgpack payloads exploiting CVE-2025-64439. Arbitrary code execution on the agent host at checkpoint resume — no prior access required.

Ed25519 Signed Reports

Every report cryptographically signed with Ed25519. SHA-256 evidence chains. WARLORD-compatible JSON output. Tamper-evident by design.

WARLORD Integration

CHECKPOINT is WARLORD-registered. Findings feed into autonomous campaign orchestration. Every checkpoint vulnerability becomes a campaign pivot point.

Multi-Store Coverage

SQLite, Redis, S3, in-memory — CHECKPOINT targets every checkpoint backend in production use. One tool, every store type, every known attack vector.

CVE & Reference Table

Known Vulnerabilities CHECKPOINT Exploits

CHECKPOINT maps each subsystem to specific CVEs and vulnerability classes. Every finding in a CHECKPOINT report includes the relevant identifier, subsystem responsible, and a technical description of the exploitation mechanism.

Identifier	Description	Subsystem	Notes
CVE-2026-28277	LangGraph interrupt() TOCTOU human-approval bypass	INJECT	Checkpoint modified between approval and resume
CVE-2025-64439	LangGraph SQLite checkpointer msgpack deserialization RCE	SURGERY	Arbitrary code execution at agent resume
THREAD-ENUM-001	LangGraph sequential thread_id IDOR	CROSS	Cross-tenant state extraction
S3-CHECKPOINT	S3 checkpoint store IAM misconfiguration	SURVEY / INJECT	Mid-execution state replacement

Coverage

Attack Surface, Standards, and Output

4 Store Types

Checkpoint Backends

SQLite (LangGraph default checkpointer)
Redis (distributed agent deployments)
Amazon S3 (cloud-native agent infra)
In-memory (development / test environments)
PostgreSQL (LangGraph production checkpointer)
Custom serialisation formats

Cryptographic

Report Integrity

Ed25519 digital signatures
SHA-256 evidence chains
WARLORD-compatible JSON output
Tamper-evident by design
Markdown + JSON dual output
Thread enumeration results preserved

OWASP LLM

Standards Mapping

LLM06 — Excessive Agency
LLM07 — System Prompt Leakage
LLM08 — Vector & Embedding Weaknesses
LLM02 — Sensitive Information Disclosure
LLM04 — Data and Model Poisoning
OWASP API Security — BOLA/IDOR

The Pipeline

CHECKPOINT in the NIGHTFALL Kill Chain

CHECKPOINT is Tool 57 in the NIGHTFALL offensive pipeline — 65 tools across every layer. It operates at the agent execution layer, targeting the state persistence infrastructure that underpins human-in-the-loop workflows. Findings feed directly into WARLORD for autonomous campaign orchestration.

Tool 48

CRUCIBLE

Agent framework exploitation

→

Tool 49

VANTAGE

Agent telemetry & log injection

→

Tool 50

CIPHER

Cryptographic attack & disruption

→

Tool 55

FOUNDRY

Inference server exploitation

→

Tool 56

ADAPTER

LoRA/PEFT supply chain attack

→

Tool 57 — Active

CHECKPOINT

Agent state persistence exploitation

→

Tool 58

DELEGATE

Agent identity & OAuth delegation

→

Tool 59

PHANTOM SKILL

AI agent supply chain attack

→

Orchestration

WARLORD

Autonomous campaign orchestration

→

Defence

AI Shield

Defend everything above it

Available On

Security Distros & Package Managers

Kali Linux

.deb package

Parrot OS

.deb package

BlackArch

PKGBUILD

PyPI

pip install

macOS

pip install

Windows

pip install

Docker

docker pull

RS OS

Pre-installed

Pure Engineering

Zero Wrappers. Every Attack Vector Written From Scratch.

CHECKPOINT does not rely on existing exploitation frameworks. Every TOCTOU injection routine, every msgpack payload generator, every Redis LPUSH attack vector, every S3 replacement sequence — written from scratch in pure Python. No subprocess calls. No external tool dependencies. Real exploitation, not orchestrated scripts.

Subsystems

291

Tests Passing

Critical CVEs

External Dependencies

Ed25519 Cryptographic Override

CHECKPOINT UNLEASHED

Standard mode runs SURVEY + CROSS + REPORT — read-only enumeration with signed findings. UNLEASHED activates INJECT, SURGERY, REPLAY, and PERSIST — the destructive attack subsystems. Requires a valid Ed25519 private key and signed scope authorisation. One operator. Founder's machine only.

Standard

checkpoint-tool survey --target <URL>

SURVEY + CROSS + REPORT (read-only)

Override

checkpoint-tool inject --target <URL> --thread-id <ID> --override

All attack subsystems. Requires Ed25519 key + signed scope.

Authorised Use Only

Red Specter CHECKPOINT is intended for authorised security testing only. Exploitation of agent checkpoint stores on systems you do not own or have explicit written permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. CHECKPOINT is a professional offensive security tool for use by qualified security researchers and penetration testers against authorised targets only. Apache License 2.0.