CVE-2025-64168
BaseFortify
Publication date: 2025-10-31
Last updated on: 2025-11-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agno | agno | 2.0.0 |
| agno | agno | 2.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64168 is a race condition vulnerability in the Python package 'agno' versions 2.0.0 to before 2.2.2. Under high concurrency, when the session_state object is passed to Agent or Team components during run or arun calls, the session_state can be incorrectly assigned and persisted to the wrong user session. This means that data from one user's session could be exposed to another user, violating confidentiality. The issue arises due to improper synchronization of concurrent execution and affects the security boundary of the application. It has been fixed in version 2.2.2. [1]
How can this vulnerability impact me? :
This vulnerability can lead to exposure of one user's session data to another user, compromising confidentiality. An attacker could potentially access sensitive information from other users' sessions. The impact is high on confidentiality, low on integrity, and none on availability. It requires network access and low privileges but has high attack complexity. This could result in unauthorized data disclosure and privacy breaches. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with data protection standards and regulations such as GDPR and HIPAA because it can lead to unauthorized exposure of personal or sensitive user data between sessions. Such data breaches violate confidentiality requirements mandated by these regulations, potentially resulting in legal and financial consequences for affected organizations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your system is running a vulnerable version of the agno package (versions >2.0.0 and <2.2.2). You can check the installed version using the command `pip show agno` or `pip list | grep agno`. Since the vulnerability occurs under high concurrency during run or arun calls with session_state, monitoring logs or application behavior for session data leakage or race conditions may help, but no specific detection commands are provided. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the agno package to version 2.2.2 or later using the command `pip install -U agno`. This patch resolves the race condition causing session_state to be assigned incorrectly and prevents user data exposure. [1]