Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
History

Tue, 20 May 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 20 May 2025 17:45:00 +0000

Type Values Removed Values Added
Description Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
Title Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-05-20T17:24:31.618Z

Updated: 2025-05-20T17:53:02.636Z

Reserved: 2025-04-28T20:56:09.084Z

Link: CVE-2025-46725

cve-icon Vulnrichment

Updated: 2025-05-20T17:52:59.906Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-05-20T18:15:46.580

Modified: 2025-05-21T20:24:58.133

Link: CVE-2025-46725

cve-icon Redhat

No data.