AVE-2025-0106 — Checkpoint Injection Chain

Checkpoint Injection Chain

🟠 HIGH structural theoretical AVE-2025-0106

· aka: Two-Stage RCE, Surrogate-to-Constructor Chain, Stateful Compound Exploit

Summary

A compound, two-stage attack exploiting stateful agents: the first interaction injects a Unicode surrogate into persistent state to force a serialization format downgrade, and the second interaction injects a constructor payload that executes during the degraded deserialization — achieving RCE across separate agent sessions.

Blast Radius

Arbitrary code execution in the agent runtime. The chain nature makes detection difficult because the two stages can be separated by hours or days, and neither stage alone appears malicious.

Prerequisites

Agent with persistent state across sessions. Serializer with format fallback behavior. Attacker ability to inject content into agent state (via prompt, tool output, or memory write).

Environment

Frameworks: LangGraph
Multi-agent: No
Tools required: No
Memory required: Yes

Known Defences

Eliminate Format Fallback — ? layer
Content Sanitization Before Persistence — ? layer
Checkpoint Integrity Verification — ? layer
Temporal Anomaly Detection — ? layer

🔒 Full defence implementations available through the NAIL SDK.

AVE-2025-0105
AVE-2025-0029
AVE-2025-0101
CWE: CWE-502 (Deserialization of Untrusted Data), CWE-694 (Use of Multiple Resources with Duplicate Identifier)

🛡️ NAIL Institute — AVE Database