CVE-2025-9959
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-04
Assigner: JFrog
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | smolagents | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9959 is a vulnerability in the smolagents Local Python execution environment where incomplete validation of Python dunder (double underscore) attributes allows an attacker to escape the sandbox. By using prompt injection, an attacker can trick the agent into executing malicious code outside the sandbox by exploiting access to special Python methods like __getattribute__ and __subclasses__. This enables arbitrary code execution beyond the intended secure environment. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code outside the intended sandbox environment, potentially leading to unauthorized system access, data compromise, or execution of malicious commands on the host system. This could result in system takeover, data exfiltration, or other harmful impacts depending on the environment where smolagents is used. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your environment uses the vulnerable smolagents local Python executor versions before 1.21.0 and if it processes untrusted prompt inputs that could lead to prompt injection. There is no direct network detection command provided, but you can check the smolagents version and inspect usage of the Local Python execution environment in your agents. Additionally, monitoring for suspicious subprocess calls like 'curl http://localhost:1337/pwned' or unexpected subprocess executions triggered by Python code could indicate exploitation attempts. Specific commands to detect exploitation are not provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-9959, avoid using the Local Python execution environment when creating smolagents CodeAgents. Instead, use alternative executors such as the WebAssembly (wasm) executor by specifying `executor_type='wasm'` in the CodeAgent constructor. Additionally, if you must use the Local Python executor, apply the security patch that blocks all dunder method calls by default and explicitly authorize only safe dunder methods via a whitelist passed as a dictionary to the executor. Updating smolagents to version 1.21.0 or later, which includes the fix, is also recommended. [1, 2]