CVE-2025-46725

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.53.15

Description The issue concerns the use of pandas eval() through the compute from docs() function in the LanceDocChatAgent component. This allows an attacker to potentially run malicious commands, compromising the host system. The QueryPlan.dataframe calc is also implicated in this issue.

Recommendations For versions prior to 0.53.15, consider disabling the LanceDocChatAgent component or restricting its use until the issue is resolved. As a temporary workaround, avoid using the compute from docs() function and the QueryPlan.dataframe calc to minimize the risk of exploitation. Update to version 0.53.15 or later, which sanitizes input to the affected function by default and includes warnings about risky behavior in the project documentation.