· aka: Checkpoint RCE, Unsafe State Reload, Persistence Layer Code Execution
Agentic frameworks that persist agent state (checkpoints, caches, stores) use unsafe deserialization by default — including pickle fallbacks, msgpack object reconstruction, and JSON constructor modes — enabling arbitrary code execution when the persistence layer is compromised.
Arbitrary code execution in the agent runtime. Escalation from 'persistence layer write access' to full application compromise, including environment variable exfiltration and lateral movement.
Agent with persistent state (checkpointer, cache, or store). Attacker with write access to the persistence backend.
🔒 Full defence implementations available through the NAIL SDK.