CVE-2025-46726

Exploit

EPSS 0.45%
Veröffentlicht 05.05.2025 19:21:19
Zuletzt bearbeitet 01.08.2025 21:28:36
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information. Version 0.53.4 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Langroid ≫ Langroid Version < 0.53.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.632

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
security-advisories@github.com	7.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f

Vendor Advisory

Exploit

https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

Patch

https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-46726

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-46726

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-46726

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-46726