CVE-2025-9959
📋 TL;DR
This vulnerability allows attackers to escape the Local Python execution environment sandbox in smolagents by exploiting incomplete validation of dunder attributes. Attackers can execute arbitrary code outside the sandbox by tricking the agent via prompt injection. This affects any system using vulnerable versions of smolagents with the Local Python tool enabled.
💻 Affected Systems
- smolagents
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing arbitrary code execution, data exfiltration, lateral movement, and persistence on the host system.
Likely Case
Limited code execution within the agent's context, potentially accessing sensitive data or performing unauthorized actions.
If Mitigated
Sandbox escape prevented, but prompt injection could still cause limited impact within the sandbox.
🎯 Exploit Status
Exploitation requires successful prompt injection first, then leveraging the sandbox escape. The JFrog research provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version including PR #1551 fix
Vendor Advisory: https://github.com/huggingface/smolagents/pull/1551
Restart Required: Yes
Instructions:
1. Update smolagents to version containing PR #1551 fix. 2. Restart all smolagents instances. 3. Verify the fix by checking version and testing sandbox restrictions.
🔧 Temporary Workarounds
Disable Local Python Tool
allTemporarily disable the vulnerable Local Python execution environment until patching is complete.
Modify smolagents configuration to remove or disable LocalPythonTool
Input Validation and Sanitization
allImplement strict input validation and sanitization for all user inputs to prevent prompt injection.
Implement input validation in your application code before passing to smolagents
🧯 If You Can't Patch
- Implement strict input validation and sanitization to prevent prompt injection attacks
- Monitor for unusual agent behavior and implement rate limiting on agent execution
🔍 How to Verify
Check if Vulnerable:
Check if your smolagents version predates the fix in PR #1551 and if Local Python tool is enabled.Check Version:
Check smolagents version in Python: import smolagents; print(smolagents.__version__)Verify Fix Applied:
Test that dunder attribute access is properly restricted in the Local Python sandbox after update.📡 Detection & Monitoring
Log Indicators:
- Unusual Python execution patterns
- Attempts to access restricted modules or attributes
- Multiple failed sandbox escape attempts
Network Indicators:
- Unexpected outbound connections from agent processes
- Unusual data exfiltration patterns
SIEM Query:
Process execution logs showing python processes spawned by smolagents with unusual arguments or imports