{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25481", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.821Z", "datePublished": "2026-02-04T20:03:32.017Z", "dateUpdated": "2026-02-04T20:40:26.952Z"}, "containers": {"cna": {"title": "Langroid has WAF Bypass Leading to RCE in TableChatAgent", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f"}, {"name": "https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj", "tags": ["x_refsource_MISC"], "url": "https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj"}, {"name": "https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea", "tags": ["x_refsource_MISC"], "url": "https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea"}], "affected": [{"vendor": "langroid", "product": "langroid", "versions": [{"version": "< 0.59.32", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T20:03:32.017Z"}, "descriptions": [{"lang": "en", "value": "Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32."}], "source": {"advisory": "GHSA-x34r-63hx-w57f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T20:39:55.136196Z", "id": "CVE-2026-25481", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:40:26.952Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25481", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T20:39:55.136196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:40:20.303Z"}}], "cna": {"title": "Langroid has WAF Bypass Leading to RCE in TableChatAgent", "source": {"advisory": "GHSA-x34r-63hx-w57f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "langroid", "product": "langroid", "versions": [{"status": "affected", "version": "< 0.59.32"}]}], "references": [{"url": "https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f", "name": "https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj", "name": "https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea", "name": "https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T20:03:32.017Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25481", "state": "PUBLISHED", "dateUpdated": "2026-02-04T20:40:26.952Z", "dateReserved": "2026-02-02T16:31:35.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T20:03:32.017Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:langroid:langroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5E51268-4EEF-4AFB-A80B-DA57B3099F66", "versionEndExcluding": "0.59.32", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32."}, {"lang": "es", "value": "Langroid es un framework para construir aplicaciones impulsadas por modelos de lenguaje grandes. Antes de la versi\u00f3n 0.59.32, existe un bypass para la correcci\u00f3n de CVE-2025-46724. TableChatAgent puede llamar a la herramienta pandas_eval para evaluar la expresi\u00f3n. Existe un WAF en langroid/utils/pandas_utils.py introducido para bloquear la inyecci\u00f3n de c\u00f3digo CVE-2025-46724. Sin embargo, puede ser evadido debido a que _literal_ok() devuelve False en lugar de lanzar UnsafeCommandError en una entrada inv\u00e1lida, combinado con el acceso sin restricciones a atributos dunder peligrosos (__init__, __globals__, __builtins__). Esto permite encadenar m\u00e9todos de DataFrame en lista blanca para filtrar el builtin eval y ejecutar c\u00f3digo arbitrario. Este problema ha sido parcheado en la versi\u00f3n 0.59.32."}], "id": "CVE-2026-25481", "lastModified": "2026-02-20T21:20:25.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T20:16:07.447", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:16:12.208442+00:00", "value": {"mitigation_remediation": ["Upgrade Langroid to version 0.59.32 or later to incorporate the WAF fix.", "If an immediate upgrade is not possible, disable the TableChatAgent functionality or remove any code paths that call pandas_eval for untrusted input.", "Implement additional input validation to ensure that any expressions passed to pandas_eval are strictly literal and that no dunder attributes are accessible, mitigating the risk until a patch is applied."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the Langroid framework built before version 0.59.32 are affected. This includes the langroid product from the langroid vendor. Systems using earlier releases should check their installed version and consider an upgrade.", "description_and_impact": "Langroid\u2019s TableChatAgent allows evaluation of user\u2011supplied expressions via pandas_eval. A bypass in the framework\u2019s WAF removes protection originally intended for CVE\u20112025\u201146724, because _literal_ok incorrectly returns False rather than throwing an UnsafeCommandError. The code also exposes dangerous dunder attributes such as __init__, __globals__, and __builtins__, letting an attacker chain whitelisted DataFrame methods to access the eval builtin. This flaw enables execution of arbitrary code, making it a classic code injection problem (CWE\u201194).", "risk_and_exploitability": "The vulnerability carries a CVSS 9.4 score, indicating a high severity of Remote Code Execution. EPSS is less than 1\u2009%, suggesting that exploitation is unlikely to be widespread, and the issue is not yet listed in the CISA KEV catalog. An attacker would need to control input to the TableChatAgent component; once triggered, the bypass allows arbitrary code to run with the privileges of the process hosting the agent. Given the high impact and the low current probability of exploitation, organizations should treat this as a critical patchability risk."}}}}, "created": "2026-02-05T11:40:04.123527+00:00", "updated": "2026-04-17T23:30:15.902701+00:00", "vendors": ["langroid", "langroid$PRODUCT$langroid"]}