CVE-2025-9959
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-09-04

Assigner: JFrog

Description
Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-09-04
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9959
EUVD
EUVD-2025-26607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huggingface smolagents *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9959 is a vulnerability in the smolagents Local Python execution environment where incomplete validation of Python dunder (double underscore) attributes allows an attacker to escape the sandbox. By using prompt injection, an attacker can trick the agent into executing malicious code outside the sandbox by exploiting access to special Python methods like __getattribute__ and __subclasses__. This enables arbitrary code execution beyond the intended secure environment. [1, 2]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code outside the intended sandbox environment, potentially leading to unauthorized system access, data compromise, or execution of malicious commands on the host system. This could result in system takeover, data exfiltration, or other harmful impacts depending on the environment where smolagents is used. [1, 2]

Detection Guidance

Detection involves identifying if your environment uses the vulnerable smolagents local Python executor versions before 1.21.0 and if it processes untrusted prompt inputs that could lead to prompt injection. There is no direct network detection command provided, but you can check the smolagents version and inspect usage of the Local Python execution environment in your agents. Additionally, monitoring for suspicious subprocess calls like 'curl http://localhost:1337/pwned' or unexpected subprocess executions triggered by Python code could indicate exploitation attempts. Specific commands to detect exploitation are not provided in the resources. [1, 2]

Mitigation Strategies

To mitigate CVE-2025-9959, avoid using the Local Python execution environment when creating smolagents CodeAgents. Instead, use alternative executors such as the WebAssembly (wasm) executor by specifying `executor_type='wasm'` in the CodeAgent constructor. Additionally, if you must use the Local Python executor, apply the security patch that blocks all dunder method calls by default and explicitly authorize only safe dunder methods via a whitelist passed as a dictionary to the executor. Updating smolagents to version 1.21.0 or later, which includes the fix, is also recommended. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart