langroid

v0.65.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents ai chatgpt function-calling llm gpt-4

+10 more

gpt4 information-retrieval language-model llama llm-agent llm-framework local-llm multi-agent-systems openai-api retrieval-augmented-generation

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

Langroid 0.65.3 drops raw user‑supplied tool JSON in the ChatAgent.handle_message() path and also discards messages with tools registered via enable_message(..., use=False, handle=True), addressing a bypass vulnerability.

Why it matters: Severity score 90 for the security fix; dropping unsanitized tool payloads prevents arbitrary code execution. Breaking change severity 70 alters message handling behavior that may affect integrations relying on disabled‑tool execution.

Summary

AI summary

Updates Security fix, https://github.com/langroid/langroid/security/advisories/GHSA-gjgq-w2m6-wr5q, and https://github.com/u-ktdi across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Drops user‑supplied tool JSON in handle_message when msg origin is USER, fixing bypass vulnerability. Drops user‑supplied tool JSON in handle_message when msg origin is USER, fixing bypass vulnerability. Source: llm_adapter@2026-06-10 Confidence: high	—
Breaking	High	Raw user messages containing tools registered with `enable_message(..., use=False, handle=True)` are now dropped instead of executed. Raw user messages containing tools registered with `enable_message(..., use=False, handle=True)` are now dropped instead of executed. Source: llm_adapter@2026-06-10 Confidence: high	—

Full changelog

0.65.3 — Security release

A security patch closing a tool-dispatch bypass in ChatAgent.handle_message. Upgrading is recommended for anyone exposing a Langroid agent to untrusted chat input, especially deployments that register tools with enable_message(..., use=False, handle=True).

pip install -U langroid

Security fix

`handle_message()` executed user-supplied tool JSON without sender verification

Advisory: GHSA-gjgq-w2m6-wr5q — High (CVSS 8.1)

enable_message(SomeTool, use=False, handle=True) was meant to mean: the LLM is not instructed to generate this tool, but if it shows up in a message arriving at this agent (from this agent's own LLM, or from another agent's LLM in a multi-agent setup), handle it. The intended caller is always an LLM, never an end user.

The dispatch path agent_response() → handle_message() → get_tool_messages() did not check whether the message originated from Entity.USER or Entity.LLM. So an end user typing raw tool JSON, e.g.

task.run('{"request":"secret_tool","value":"pwned"}', turns=1)

could directly invoke the handler of a tool registered with use=False, handle=True — completely bypassing the LLM. Depending on which handled tools an application enables, this could mean unauthorized file read/write, database queries, or access to internal orchestration tools.

Fix: new _filter_user_origin_tools(msg, tools) helper that drops any tools whose request is not in llm_tools_usable whenever msg is a USER-origin ChatDocument. Applied from both handle_message and handle_message_async after the existing recipient filter.

Reported by @u-ktdi.

Behavior change

This strictly tightens the dispatch contract for enable_message(..., use=False, handle=True): a raw user message containing such a tool's JSON is now dropped instead of being executed.

Behavior preserved:

use=True, handle=True tools remain invocable by USER input (the explicit "users may also call this" case).
Multi-agent flow: use=False, handle=True tools delivered via an LLM- or AGENT-origin ChatDocument still dispatch.
Non-ChatDocument inputs are unchanged (sender unknown → no filtering; only internal/test callers pass raw strings).

Upgrade

pip install -U langroid

Full changelog: 0.65.2...0.65.3

Security Fixes

GHSA-gjgq-w2m6-wr5q — `handle_message()` executed user‑supplied tool JSON without sender verification; fixed by dropping such tools from USER‑origin messages (CVSS 8.1).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langroid

Get notified when new releases ship.

About langroid

Harness LLMs with Multi-Agent Programming

All releases →

Related context

Related tools

Earlier breaking changes

v0.65.2 Restricts eval'd expression builtins to a curated safe set, breaking code that relied on full Python builtins (e.g., __import__, open).
v0.65.1 Rejects additional PostgreSQL-specific obfuscations of dangerous functions like `pg_read_file` in `SQLChatAgent`.
v0.65.0 Default PDF parser switched from pymupdf4llm to pypdfium2; AGPL dependency removed.
v0.64.0 Rejects PostgreSQL/SQLite/MSSQL primitives that enable arbitrary file reads.
v0.64.0 Restricts file‑tool paths to stay within configured `curr_dir`.