langroid

v0.64.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 6d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

agents ai chatgpt function-calling llm gpt-4

+10 more

gpt4 information-retrieval language-model llama llm-agent llm-framework local-llm multi-agent-systems openai-api retrieval-augmented-generation

Affected surfaces

rce_ssrf breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 6d

ReleasePort Layer 1 v0.64.0 fixes a path‑traversal flaw in ReadFileTool, WriteFileTool, and ListDirTool and adds blocklist entries to prevent arbitrary file reads via SQLChatAgent.

Why it matters: The security fix eliminates high‑severity (severity 90) path‑traversal risks; the breaking change restricts file‑tool paths to the configured `curr_dir` (severity 70).

Summary

AI summary

Updates Security fixes, https://github.com/langroid/langroid/security/advisories/GHSA-fg23-3346-88f5, and https://github.com/chaitanyagarware across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes path‑traversal vulnerability in ReadFileTool, WriteFileTool, ListDirTool. Fixes path‑traversal vulnerability in ReadFileTool, WriteFileTool, ListDirTool. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	Critical	Fixes arbitrary file read via SQLChatAgent by expanding blocklist to include PostgreSQL functions. Fixes arbitrary file read via SQLChatAgent by expanding blocklist to include PostgreSQL functions. Source: llm_adapter@2026-05-29 Confidence: high	—
Breaking	High	Restricts file‑tool paths to stay within configured `curr_dir`. Restricts file‑tool paths to stay within configured `curr_dir`. Source: llm_adapter@2026-05-29 Confidence: high	—
Breaking	High	Rejects PostgreSQL/SQLite/MSSQL primitives that enable arbitrary file reads. Rejects PostgreSQL/SQLite/MSSQL primitives that enable arbitrary file reads. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

0.64.0 — Security release

This is a security release with two fixes for path-traversal / arbitrary-file-access vulnerabilities in Langroid's file tools and SQL chat agent. Upgrading is recommended for all users, particularly anyone who exposes these tools to untrusted input or LLM-influenced tool arguments.

pip install -U langroid

Security fixes

1. Path traversal in file tools (`ReadFileTool`, `WriteFileTool`, `ListDirTool`)

Advisory: GHSA-fg23-3346-88f5 — High (CVSS 7.1), CWE-22 / CWE-23

The file tools changed into the configured curr_dir but then operated on the raw, caller-supplied path without verifying that the final path stayed inside curr_dir. A value such as ../secret.txt, an absolute path, or an in-directory symlink pointing outside could read, write, or list files outside the intended workspace — a real risk in agentic workflows where an LLM or an end user can influence tool arguments.

Fix: a new safe_resolve_path() helper resolves the requested path against curr_dir and rejects anything that escapes it (covers .., absolute paths, and symlink-based escapes). All three tools now refuse out-of-bounds paths.

Reported by @chaitanyagarware.

2. Arbitrary file read via `SQLChatAgent` validator bypass

Advisory: GHSA-pmch-g965-grmr — High, CWE-22 / CWE-89

The defense-in-depth SQL blocklist introduced in 0.63.0 listed individual function names and missed the pg_read_file / pg_stat_file / pg_ls_* / pg_current_logfile family. A plain SELECT pg_read_file('...') therefore passed both the SELECT-only allowlist and the blocklist, allowing arbitrary file reads from the PostgreSQL host — even under the strict defaults. Narrower gaps in SQLite ATTACH and MSSQL OPENDATASOURCE handling were closed as well.

Fix: the blocklist now matches the entire pg_(read|stat|ls|current_logfile)... family, handles ATTACH with or without the DATABASE keyword, blocks OPENDATASOURCE alongside OPENROWSET, and additionally blocks CREATE ... LANGUAGE / RULE / EVENT TRIGGER / FOREIGN TABLE.

Reported by @tonghuaroot.

Behavior change (why this is a minor release)

Both fixes restrict behavior that previously succeeded: file-tool paths that escape curr_dir, and the PostgreSQL/SQLite/MSSQL primitives listed above, are now rejected with an explicit error. This is intentional. If your application legitimately relied on any of these, you will need to adjust.

Upgrade

pip install -U langroid

Full changelog: 0.63.0...0.64.0

Breaking Changes

File tools (ReadFileTool, WriteFileTool, ListDirTool) now reject paths that escape the configured `curr_dir`.
SQLChatAgent validator blocks additional PostgreSQL functions (`pg_read_file`, `pg_stat_file`, `pg_current_logfile`) and other cross‑DB primitives.

Security Fixes

GHSA-fg23-3346-88f5 — High (CVSS 7.1) – Path traversal in file tools (`ReadFileTool`, `WriteFileTool`, `ListDirTool`).
GHSA-pmch-g965-grmr — High – Arbitrary file read via `SQLChatAgent` by bypassing the SQL blocklist.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langroid

Get notified when new releases ship.

About langroid

Harness LLMs with Multi-Agent Programming

All releases →

Related context

Related tools

Earlier breaking changes

v0.65.0 Default PDF parser switched from pymupdf4llm to pypdfium2; AGPL dependency removed.