CVE-2025-46724

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.53.15

Description The issue concerns Langroid, a Python framework for building large language model (LLM)-powered applications. In versions prior to 0.53.15, the TableChatAgent uses pandas eval(), which may be vulnerable to code injection if fed untrusted user input, such as in public-facing LLM applications. Langroid 0.53.15 addresses this by sanitizing input to TableChatAgent by default and adding warnings about risky behavior in the project documentation.

Recommendations For versions prior to 0.53.15, update to version 0.53.15 to sanitize input to TableChatAgent and prevent code injection vulnerabilities. As a temporary workaround, consider disabling the use of pandas eval() in TableChatAgent until a patch is available. Restrict access to TableChatAgent to minimize the risk of exploitation.