CVE-2025-46726: Langroid XXE Vulnerability

CVE-2025-46726 Overview

Langroid, a framework for building large-language-model-powered applications, contains an XML External Entity (XXE) vulnerability in its XMLToolMessage class. Prior to version 0.53.4, applications leveraging this class are exposed to untrusted XML input that could result in Denial of Service (DoS) attacks and/or exposure of local files containing sensitive information. This vulnerability affects the XML parsing functionality where entity resolution was not properly disabled, allowing attackers to craft malicious XML payloads.

Critical Impact
Attackers can exploit this XXE vulnerability to cause service disruption through DoS attacks or exfiltrate sensitive local files from the server, potentially exposing configuration files, credentials, or other confidential data processed by LLM-powered applications.

Affected Products

Langroid versions prior to 0.53.4
Applications using the XMLToolMessage class for XML processing
LLM-powered applications built with vulnerable Langroid versions

Discovery Timeline

2025-05-05 - CVE-2025-46726 published to NVD
2025-08-01 - Last updated in NVD database

Technical Details for CVE-2025-46726

Vulnerability Analysis

This vulnerability stems from improper XML parser initialization in the XMLToolMessage class within langroid/agent/xml_tool_message.py. The vulnerable code created an XMLParser instance without disabling dangerous features such as entity resolution, DTD loading, and network access. This configuration allows attackers to inject malicious XML payloads containing external entity declarations that can reference local files or trigger recursive entity expansion attacks (billion laughs attack).

The vulnerability enables two primary attack scenarios: First, attackers can craft XML documents with external entity references pointing to local files like /etc/passwd or application configuration files, causing the parser to include their contents in the response. Second, attackers can leverage recursive entity expansion to cause resource exhaustion, leading to Denial of Service conditions.

Root Cause

The root cause is the insecure default configuration of the lxml.etree.XMLParser object. The original implementation only specified strip_cdata=False without implementing security-hardening flags. This left the parser vulnerable to XML External Entity (XXE) attacks, billion laughs attacks, and external DTD attacks because entity resolution remained enabled by default.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can submit crafted XML input to any LLM application using the vulnerable XMLToolMessage class. The malicious XML could contain external entity declarations designed to read local files or cause resource exhaustion through recursive entity expansion.

python

# Security patch in langroid/agent/xml_tool_message.py
# Source: https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

         Raises:
             etree.XMLSyntaxError: If the input string is not valid XML.
         """
-        parser = etree.XMLParser(strip_cdata=False)
+        # SECURITY: Initialize XMLParser with flags to prevent 
+        # XML External Entity (XXE), billion laughs, and external DTD attacks by 
+        # disabling entity resolution, DTD loading, and network access;
+        # `strip_cdata=False` is needed to preserve
+        # content within CDATA sections (e.g., for code).        
+        parser = etree.XMLParser(
+            strip_cdata=False,
+            resolve_entities=False,
+            load_dtd=False,
+            no_network=True,
+        )
         root = etree.fromstring(formatted_string.encode("utf-8"), parser=parser)

         def parse_element(element: etree._Element) -> Any:

Detection Methods for CVE-2025-46726

Indicators of Compromise

Unusual XML payloads containing <!DOCTYPE declarations with <!ENTITY definitions in application logs
Attempted file access to sensitive system files like /etc/passwd, /etc/shadow, or application configuration files from the Langroid process
Excessive memory or CPU consumption during XML parsing operations indicating potential billion laughs attack
Network requests originating from the XML parser attempting to fetch external DTDs or entities

Detection Strategies

Monitor application logs for XML input containing external entity declarations or DTD references
Implement file access auditing to detect unauthorized reads of sensitive system files by the Langroid application process
Deploy runtime application self-protection (RASP) solutions to detect and block XXE exploitation attempts
Use web application firewalls (WAF) with XXE detection rules to filter malicious XML payloads at the network perimeter

Monitoring Recommendations

Enable verbose logging for the XMLToolMessage class to capture all XML parsing operations
Set up alerts for unusual resource consumption patterns (CPU, memory) during XML processing
Monitor outbound network connections from the application server that may indicate external entity resolution attempts
Implement log aggregation to correlate XML parsing events with file access patterns across your LLM application infrastructure

How to Mitigate CVE-2025-46726

Immediate Actions Required

Upgrade Langroid to version 0.53.4 or later immediately to apply the security fix
Audit all LLM applications using Langroid to identify those leveraging the XMLToolMessage class
Review application logs for evidence of exploitation attempts before patching
Consider temporarily disabling XML-based tool messaging if immediate patching is not possible

Patch Information

The vulnerability has been addressed in Langroid version 0.53.4. The fix implements secure XML parser initialization by adding the flags resolve_entities=False, load_dtd=False, and no_network=True to prevent XXE attacks. The patch also updates the lxml dependency requirement from versions <5.0.0,>=4.9.3 to <6.0.0,>=5.4.0 for additional security improvements.

For detailed information, refer to the GitHub Security Advisory and the security patch commit.

Workarounds

If upgrading is not immediately possible, implement input validation to reject XML documents containing DOCTYPE declarations before they reach the XMLToolMessage class
Deploy a web application firewall (WAF) with rules to block XXE payloads targeting your LLM applications
Isolate Langroid applications in sandboxed environments with restricted file system access to limit the impact of successful exploitation
Consider switching to JSON-based tool messaging as an alternative to XML until the patch can be applied

bash

# Configuration example - Upgrade Langroid to patched version
pip install langroid>=0.53.4

# Verify the installed version
pip show langroid | grep Version

CVE-2025-46726 Overview

Critical Impact
Attackers can exploit this XXE vulnerability to cause service disruption through DoS attacks or exfiltrate sensitive local files from the server, potentially exposing configuration files, credentials, or other confidential data processed by LLM-powered applications.

Affected Products

Langroid versions prior to 0.53.4
Applications using the XMLToolMessage class for XML processing
LLM-powered applications built with vulnerable Langroid versions

Discovery Timeline

2025-05-05 - CVE-2025-46726 published to NVD
2025-08-01 - Last updated in NVD database

Technical Details for CVE-2025-46726

Vulnerability Analysis

Root Cause

Attack Vector

python

# Security patch in langroid/agent/xml_tool_message.py
# Source: https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

         Raises:
             etree.XMLSyntaxError: If the input string is not valid XML.
         """
-        parser = etree.XMLParser(strip_cdata=False)
+        # SECURITY: Initialize XMLParser with flags to prevent 
+        # XML External Entity (XXE), billion laughs, and external DTD attacks by 
+        # disabling entity resolution, DTD loading, and network access;
+        # `strip_cdata=False` is needed to preserve
+        # content within CDATA sections (e.g., for code).        
+        parser = etree.XMLParser(
+            strip_cdata=False,
+            resolve_entities=False,
+            load_dtd=False,
+            no_network=True,
+        )
         root = etree.fromstring(formatted_string.encode("utf-8"), parser=parser)

         def parse_element(element: etree._Element) -> Any:

Detection Methods for CVE-2025-46726

Indicators of Compromise

Unusual XML payloads containing <!DOCTYPE declarations with <!ENTITY definitions in application logs
Attempted file access to sensitive system files like /etc/passwd, /etc/shadow, or application configuration files from the Langroid process
Excessive memory or CPU consumption during XML parsing operations indicating potential billion laughs attack
Network requests originating from the XML parser attempting to fetch external DTDs or entities

Detection Strategies

Monitor application logs for XML input containing external entity declarations or DTD references
Implement file access auditing to detect unauthorized reads of sensitive system files by the Langroid application process
Deploy runtime application self-protection (RASP) solutions to detect and block XXE exploitation attempts
Use web application firewalls (WAF) with XXE detection rules to filter malicious XML payloads at the network perimeter

Monitoring Recommendations

Enable verbose logging for the XMLToolMessage class to capture all XML parsing operations
Set up alerts for unusual resource consumption patterns (CPU, memory) during XML processing
Monitor outbound network connections from the application server that may indicate external entity resolution attempts
Implement log aggregation to correlate XML parsing events with file access patterns across your LLM application infrastructure

How to Mitigate CVE-2025-46726

Immediate Actions Required

Upgrade Langroid to version 0.53.4 or later immediately to apply the security fix
Audit all LLM applications using Langroid to identify those leveraging the XMLToolMessage class
Review application logs for evidence of exploitation attempts before patching
Consider temporarily disabling XML-based tool messaging if immediate patching is not possible

Patch Information

For detailed information, refer to the GitHub Security Advisory and the security patch commit.

Workarounds

If upgrading is not immediately possible, implement input validation to reject XML documents containing DOCTYPE declarations before they reach the XMLToolMessage class
Deploy a web application firewall (WAF) with rules to block XXE payloads targeting your LLM applications
Isolate Langroid applications in sandboxed environments with restricted file system access to limit the impact of successful exploitation
Consider switching to JSON-based tool messaging as an alternative to XML until the patch can be applied

bash

# Configuration example - Upgrade Langroid to patched version
pip install langroid>=0.53.4

# Verify the installed version
pip show langroid | grep Version

CVE-2025-46726: Langroid XXE Vulnerability

CVE-2025-46726 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-46726

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-46726

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-46726

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-46726: Langroid XXE Vulnerability

CVE-2025-46726 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-46726

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-46726

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-46726

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform