Advisories for Pypi/Langroid package

Security Vulnerability Report: Prompt to SQL Injection leading to RCE in latest Langroid Affected Scope langroid < 0.63.0 Vulnerability Description SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input — including indirectly via data returned to …

Affected Scope langroid <= 0.59.31 Vulnerability Description CVE-2025-46724 fix bypass: TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (init, globals, builtins). This allows chaining whitelisted DataFrame methods to leak the eval builtin …

TableChatAgent uses pandas eval(). If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection.

LanceDocChatAgent uses pandas eval() through compute_from_docs(): https://github.com/langroid/langroid/blob/18667ec7e971efc242505196f6518eb19a0abc1c/langroid/vector_store/base.py#L136-L150 As a result, an attacker may be able to make the agent run malicious commands through QueryPlan.dataframe_calc compromising the host system.

A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.