
We found results for “”
CVE-2025-46725
Good to know:

Date: May 20, 2025
Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, "LanceDocChatAgent" uses pandas eval() through "compute_from_docs()". As a result, an attacker may be able to make the agent run malicious commands through "QueryPlan.dataframe_calc]") compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')
CWE-94Top Fix

Upgrade Version
Upgrade to version langroid - 0.53.15;https://github.com/langroid/langroid.git - 0.53.15
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |