Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64168

CVE-2025-64168: Agno Framework Race Condition Vulnerability

CVE-2025-64168 is a race condition flaw in Agno multi-agent framework that can expose user data across sessions under high concurrency. This article covers the technical details, affected versions 2.0.0-2.2.1, and mitigation.

Published:

CVE-2025-64168 Overview

CVE-2025-64168 is a race condition vulnerability [CWE-362] in Agno, a multi-agent framework, runtime, and control plane. The flaw affects versions 2.0.0 through versions before 2.2.2. Under high concurrency, when session_state is passed to an Agent or Team during run or arun calls, the framework can assign and persist that state to the wrong session. This cross-session contamination can expose one user's data to another user. The maintainers fixed the issue in version 2.2.2.

Critical Impact

Concurrent requests can cross-pollinate session state between users, leaking confidential data held in Agent or Team sessions across tenant boundaries.

Affected Products

  • Agno multi-agent framework versions 2.0.0 through 2.2.1
  • Agno Agent runtime invoked with session_state via run or arun
  • Agno Team runtime invoked with session_state via run or arun

Discovery Timeline

  • 2025-10-31 - CVE-2025-64168 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-64168

Vulnerability Analysis

Agno orchestrates AI agents and teams that maintain per-user session_state across invocations. The framework accepts session_state as a parameter to the run and arun entry points on Agent and Team objects. When multiple requests execute concurrently, the assignment and persistence of session_state is not atomic relative to the session identifier in scope. The result is a time-of-check to time-of-use (TOCTOU) condition where state intended for session A can be written against session B.

The consequence is a confidentiality breach across sessions. Conversational history, tool outputs, or user attributes carried in session_state can surface in another user's context window or be persisted to another user's record in the backing store.

Root Cause

The root cause is shared mutable state without proper synchronization on the session identity binding. When session_state is supplied per-call, the framework's internal assignment path treats the value as instance-scoped rather than call-scoped. Under concurrent arun execution, two coroutines can interleave between the assignment and the persistence step, causing one coroutine's session_state to be flushed under the other's session key.

Attack Vector

The attack vector is network-based and does not require user interaction, but exploitation requires high concurrency and depends on timing. An attacker with a low-privileged account on a multi-tenant Agno deployment can issue parallel run or arun requests with crafted session_state payloads. If a victim request executes concurrently, the attacker's payload, or the victim's payload, can be redirected to the other session. The scope is changed because data crosses the trust boundary between distinct user sessions.

No verified exploit code is published. Refer to the GitHub Security Advisory GHSA-vw84-hprm-cxmm for the maintainer description of the race window.

Detection Methods for CVE-2025-64168

Indicators of Compromise

  • Session records in the Agno persistence store containing fields or messages that do not match the owning user's prior history.
  • User-reported incidents of seeing another user's conversation, tool output, or profile data inside an Agent or Team response.
  • Audit log entries where the session_id written to storage does not match the session_id of the originating request handler.

Detection Strategies

  • Inventory Agno deployments and identify any service running versions 2.0.0 through 2.2.1 that pass session_state into run or arun calls.
  • Add server-side assertions that verify the session_id persisted on completion equals the session_id authenticated at request entry.
  • Replay load tests with concurrent requests carrying distinct, tagged session_state values and confirm no cross-assignment occurs.

Monitoring Recommendations

  • Log every session_state write with the authenticated user identifier and the target session_id, then alert on mismatches.
  • Monitor request concurrency on Agent and Team endpoints and correlate spikes with session integrity check failures.
  • Track upstream dependency versions in software composition analysis tooling so Agno releases below 2.2.2 raise an alert.

How to Mitigate CVE-2025-64168

Immediate Actions Required

  • Upgrade Agno to version 2.2.2 or later across all runtime and control plane components.
  • Audit recent session data for cross-contamination, focusing on time windows with concurrent multi-user activity.
  • Rotate any secrets or tokens that may have been carried inside session_state during the exposure window.

Patch Information

The maintainers patched the race condition in Agno 2.2.2. Upgrade using the project's standard package manager workflow and redeploy all agent and team workers. Consult the GitHub Security Advisory GHSA-vw84-hprm-cxmm for release details.

Workarounds

  • Stop passing session_state to run or arun and instead load state inside the call using the authenticated session_id.
  • Serialize requests per session at the application layer until the upgrade to 2.2.2 is complete.
  • Restrict the affected endpoints to single-tenant deployments until patched, eliminating the cross-user exposure path.
bash
# Upgrade Agno to the patched release
pip install --upgrade "agno>=2.2.2"

# Verify the installed version
python -c "import agno; print(agno.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.