Description

Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.

INFO

Published Date :

2025-05-20T17:24:31.618Z

Last Modified :

2025-05-20T17:53:02.636Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-46725 vulnerability.

Vendors Products
Langroid
  • Langroid
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-46725.

URL Resource
https://github.com/langroid/langroid/commit/0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6 cve-icon cve-icon
https://github.com/langroid/langroid/security/advisories/GHSA-22c2-9gwg-mj59 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact