Command Injection Vulnerability in Langroid Framework by Langroid
CVE-2025-46725

8.1HIGH

Key Information:

Vendor: Langroid
Status: Langroid
Vendor: CVE Published:; 20 May 2025

What is CVE-2025-46725?

The Langroid Framework, utilized for developing applications powered by large language models, had a serious command injection vulnerability prior to version 0.53.15. In affected versions, the LanceDocChatAgent component improperly utilized the pandas eval() function within compute_from_docs(), potentially allowing an attacker to execute arbitrary commands on the host system. Version 0.53.15 mitigates this risk by implementing input sanitization for this function by default and includes clear warnings regarding the associated risks in its documentation.

Affected Version(s)

langroid < 0.53.15

References

https://github.com/langroid/langroid/security/advisories/...

x_refsource_CONFIRM

https://github.com/langroid/langroid/commit/0d9e4a7bb3ae2...

x_refsource_MISC

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2025
Vulnerability Reserved
Apr 28, 2025