Amiteliahu

**Name of the Vulnerable Software and Affected Versions** Semantic Kernel Python SDK versions prior to 1.39.4 **Description** A remote code execution issue exists within the `InMemoryVectorStore` filter functionality. The flaw occurs in the `InMemoryCollection. parse and validate filter` function, where a specially crafted `filter str` can access Python object internals, such as ` globals `, allowing an attacker to escalate a prompt injection into arbitrary code execution. **Recommendations** Update Semantic Kernel Python SDK to version 1.39.4 or later. As a temporary workaround, avoid using `InMemoryVectorStore` for production scenarios.

**Name of the Vulnerable Software and Affected Versions** Pydantic AI versions 1.34.0 through 1.50.9 **Description** Pydantic AI contains a path traversal issue in its web UI. A crafted URL can be used by an attacker to serve arbitrary JavaScript within the application's context. This allows execution of attacker-controlled code in the victim's browser, potentially leading to theft of chat history and session cookies. The issue arises because the CDN URL is constructed using a non-validated `version` query parameter from the request URL, enabling path traversal sequences. This vulnerability affects applications utilizing `Agent.to web` or `clai web` to serve a chat interface, which may be running locally or on a remote server. **Recommendations** Upgrade to version 1.51.0 or later to remove the user-controllable `version` parameter and prevent the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Semantic Kernel .NET SDK versions prior to 1.71.0 Agent Framework version 1.0 **Description** An arbitrary file write issue exists within the `SessionsPythonPlugin` of the .NET SDK. This flaw can be chained with path traversal and insecure automated optimizations to achieve remote code execution (RCE). The problem arises from a trust gap where stochastic LLM output is treated as high-privilege system commands when `AutoInvokeKernelFunctions` is enabled, failing to effectively validate tool calls. Attackers can bypass security filters using JSON type confusion, Base64/URL encoding, or Unicode homoglyphs to overwrite the application's own source code, such as `Program.cs`, leading to full host takeover. The issue specifically involves the `DownloadFileAsync()` and `UploadFileAsync()` functions and the `localFilePath` variable. **Recommendations** For Microsoft Semantic Kernel .NET SDK versions prior to 1.71.0, update to version 1.71.0 or higher. For Agent Framework version 1.0, disable `ToolCallBehavior.AutoInvokeKernelFunctions` and switch to manual function invocation. As a temporary mitigation, implement a Function Invocation Filter to verify that the `localFilePath` variable passed to `DownloadFileAsync()` or `UploadFileAsync()` is allow listed and anchored to a safe root.