CVE-2025-46726 – Langroid applications using the XMLToolMessage ... (How to Fix)

📋 TL;DR

Langroid applications using the XMLToolMessage class with untrusted XML input are vulnerable to XML External Entity (XXE) attacks. This allows attackers to cause denial of service or read sensitive local files. All Langroid applications using XMLToolMessage with user-supplied XML before version 0.53.4 are affected.

💻 Affected Systems

Products:

Langroid

Versions: All versions prior to 0.53.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using XMLToolMessage class with untrusted XML input. Applications not using XMLToolMessage or only processing trusted XML are not vulnerable.

📦 What is this software?

Langroid by Langroid

View all CVEs affecting Langroid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through sensitive file disclosure (e.g., /etc/passwd, SSH keys, configuration files) leading to data exfiltration and potential lateral movement.

🟠

Likely Case

Denial of service through XML entity expansion attacks or limited file disclosure from accessible directories.

🟢

If Mitigated

Minimal impact if XML input is properly sanitized or restricted to trusted sources only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with established exploitation patterns. No public exploit code has been released for this specific CVE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.53.4

Vendor Advisory: https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f

Restart Required: Yes

Instructions:

1. Update Langroid to version 0.53.4 or later using pip: pip install --upgrade langroid>=0.53.4
2. Restart all Langroid applications
3. Verify the fix by checking the version

🔧 Temporary Workarounds

Disable XML external entities

all

Configure XML parser to disable external entity resolution

Modify XMLToolMessage usage to set resolve_entities=False in XML parser configuration

Input validation and sanitization

all

Validate and sanitize all XML input before processing

Implement XML schema validation or strip DOCTYPE declarations from user input

🧯 If You Can't Patch

Implement strict input validation to reject XML containing DOCTYPE declarations or external entity references
Run Langroid applications with minimal file system permissions and in isolated containers

🔍 How to Verify

Check if Vulnerable:

Check if application uses XMLToolMessage class and processes untrusted XML. Review code for XMLToolMessage imports and usage.

Check Version:

python -c "import langroid; print(langroid.__version__)"

Verify Fix Applied:

Verify Langroid version is 0.53.4 or later and test with malicious XML containing XXE payloads to confirm they are rejected.

📡 Detection & Monitoring

Log Indicators:

XML parsing errors mentioning external entities
Unusual file access patterns from Langroid processes
High memory or CPU usage during XML processing

Network Indicators:

Outbound connections to unexpected external domains during XML processing
Large XML payloads being submitted to Langroid endpoints

SIEM Query:

source="langroid" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*external*" OR process_access="sensitive_file")

📊 Metadata

CVE ID: CVE-2025-46726

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-611

EPSS Score: 0.15% exploit probability (35th percentile)

Published: May 5, 2025

Last Updated: August 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46726, you might also want to check these: