Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
Metrics
Affected Vendors & Products
References
History
Tue, 20 May 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 20 May 2025 17:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation. | |
Title | Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store | |
Weaknesses | CWE-94 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-05-20T17:24:31.618Z
Updated: 2025-05-20T17:53:02.636Z
Reserved: 2025-04-28T20:56:09.084Z
Link: CVE-2025-46725

Updated: 2025-05-20T17:52:59.906Z

Status : Awaiting Analysis
Published: 2025-05-20T18:15:46.580
Modified: 2025-05-21T20:24:58.133
Link: CVE-2025-46725

No data.