This release includes 4 security fixes for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
ReleasePort's take
Light signalRelease v0.6.0 patches multiple security vulnerabilities: it blocks code execution in the calculator tool via restricted parsing and AST validation, adds consent gating plus newline sanitization to cron, and redacts credentials from AWS responses.
Why it matters: Patch immediately to prevent remote code execution in calculator, mitigate unauthorized cron command injection, and stop credential leakage from AWS APIs.
Summary
AI summaryFixes security issues in calculator and cron tools, sanitizes AWS responses, skips hidden directories in file_read, and expands document location extraction in retrieve.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Expand document location extraction for all RetrievalResultLocation types. Expand document location extraction for all RetrievalResultLocation types. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Prevent code execution in calculator tool via restricted parse_expr. Prevent code execution in calculator tool via restricted parse_expr. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Add consent gate and newline sanitization to cron tool. Add consent gate and newline sanitization to cron tool. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Redact sensitive credentials in use_aws responses. Redact sensitive credentials in use_aws responses. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Add AST validation to prevent code execution in calculator tool. Add AST validation to prevent code execution in calculator tool. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Skip hidden directories during os.walk traversal. Skip hidden directories during os.walk traversal. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Other | Medium |
@opieter-aws made their first contribution. @opieter-aws made their first contribution. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
What's Changed
- fix: prevent code execution in calculator tool via restricted parse_expr by @pgrayy in https://github.com/strands-agents/tools/pull/466
- fix: add consent gate and newline sanitization to cron tool by @pgrayy in https://github.com/strands-agents/tools/pull/468
- fix: redact sensitive credentials in use_aws responses by @pgrayy in https://github.com/strands-agents/tools/pull/467
- fix: add AST validation to prevent code execution in calculator tool by @pgrayy in https://github.com/strands-agents/tools/pull/473
- fix(file_read): skip hidden directories during os.walk traversal by @dosvk in https://github.com/strands-agents/tools/pull/440
- feat(retrieve): expand document location extraction for all RetrievalResultLocation types by @opieter-aws in https://github.com/strands-agents/tools/pull/465
New Contributors
- @opieter-aws made their first contribution in https://github.com/strands-agents/tools/pull/465
Full Changelog: https://github.com/strands-agents/tools/compare/v0.5.3...v0.6.0
Security Fixes
- fix: prevent code execution in calculator tool via restricted parse_expr
- fix: add consent gate and newline sanitization to cron tool
- fix: redact sensitive credentials in use_aws responses
- fix: add AST validation to prevent code execution in calculator tool
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]