langroid

v0.65.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents ai chatgpt function-calling llm gpt-4

+10 more

gpt4 information-retrieval language-model llama llm-agent llm-framework local-llm multi-agent-systems openai-api retrieval-augmented-generation

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

GHSA-6xc5-4r68-67fc patches a bypass of the SQL function‑name blocklist in `SQLChatAgent` and adds rejection of PostgreSQL‑specific obfuscations for dangerous functions.

Why it matters: Addresses CVE severity 90 (GHSA) by blocking bypasses; version 0.65.1 must be deployed to prevent exploitation of `pg_read_file` via obfuscated calls.

Summary

AI summary

GHSA-6xc5-4r68-67fc fixes a bypass of the SQL function-name blocklist in SQLChatAgent

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Blocks bypass of SQL function-name blocklist in `SQLChatAgent` for PostgreSQL. Blocks bypass of SQL function-name blocklist in `SQLChatAgent` for PostgreSQL. Source: llm_adapter@2026-06-09 Confidence: high	—
Breaking	High	Rejects additional PostgreSQL-specific obfuscations of dangerous functions like `pg_read_file` in `SQLChatAgent`. Rejects additional PostgreSQL-specific obfuscations of dangerous functions like `pg_read_file` in `SQLChatAgent`. Source: llm_adapter@2026-06-09 Confidence: high	—

Full changelog

0.65.1 — Security release

A security patch closing a bypass of the SQL function-name blocklist that shipped in 0.64.0. Upgrading is recommended for anyone using SQLChatAgent with PostgreSQL — especially deployments where LLM-influenced SQL runs against a role that can call pg_read_file.

pip install -U langroid

Security fix

`SQLChatAgent` dangerous-function blocklist bypassable via quoted / commented / schema-qualified calls

Advisory: GHSA-6xc5-4r68-67fc — High, CWE-22 / CWE-89

The dangerous-function regex shipped in 0.64.0 (see parent advisory GHSA-pmch-g965-grmr) requires a function name to be followed directly by \s*\(. PostgreSQL accepts equivalent calls where the name is separated from ( by a quoted identifier, an inline comment, or schema qualification:

SELECT "pg_read_file"('/etc/passwd')
SELECT pg_read_file/**/('/etc/passwd')
SELECT pg_catalog."pg_read_file"('/etc/passwd')

All three evade the regex, still parse as SELECT, and execute the same server-side pg_read_file file-read primitive — re-opening the very vulnerability the 0.64.0 fix was meant to close.

Fix: after the existing sqlglot parse, walk the AST and reject any function call whose normalized (unquoted, schema-stripped, case-folded) name is in the dangerous set or matches a dangerous prefix (pg_read*, pg_stat*, pg_ls*, pg_current_logfile*, lo_*, load_file, load_extension, sp_oacreate, sp_oamethod). sqlglot normalizes all three bypass forms to the same Anonymous node, so one AST check catches every variant. The pre-existing raw-text regex blocklist is kept as a cheap pre-filter (defense in depth).

Reported by @dodge1218.

Behavior change

This strictly tightens an existing security check: SQLChatAgent will now reject additional PostgreSQL-specific obfuscations of pg_read_file and related functions that previously slipped through the regex. If your application legitimately needs to call these functions (it should not), set allow_dangerous_operations=True on SQLChatAgentConfig.

Upgrade

pip install -U langroid

Full changelog: 0.65.0...0.65.1

Security Fixes

GHSA-6xc5-4r68-67fc — High (CWE‑22/CWE‑89): fixes bypass of `SQLChatAgent` dangerous‑function blocklist via quoted, commented, or schema‑qualified calls

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langroid

Get notified when new releases ship.

About langroid

Harness LLMs with Multi-Agent Programming

All releases →

Related context

Related tools

Earlier breaking changes

v0.65.3 Raw user messages containing tools registered with `enable_message(..., use=False, handle=True)` are now dropped instead of executed.
v0.65.2 Restricts eval'd expression builtins to a curated safe set, breaking code that relied on full Python builtins (e.g., __import__, open).
v0.65.0 Default PDF parser switched from pymupdf4llm to pypdfium2; AGPL dependency removed.
v0.64.0 Rejects PostgreSQL/SQLite/MSSQL primitives that enable arbitrary file reads.
v0.64.0 Restricts file‑tool paths to stay within configured `curr_dir`.