CVE-2026-25481 Overview
CVE-2026-25481 is a critical code injection vulnerability in Langroid, a framework for building large-language-model-powered applications. This vulnerability represents a bypass of the security fix implemented for CVE-2025-46724. The flaw exists in the TableChatAgent component which calls the pandas_eval tool to evaluate expressions. While a Web Application Firewall (WAF) was introduced in langroid/utils/pandas_utils.py to block code injection attempts, researchers discovered it can be bypassed due to the _literal_ok() function returning False instead of raising an UnsafeCommandError on invalid input. This, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__), allows attackers to chain whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code.
Critical Impact
Remote attackers can bypass security controls to achieve arbitrary code execution on systems running vulnerable versions of Langroid through malicious expressions evaluated by TableChatAgent.
Affected Products
- Langroid versions prior to 0.59.32
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-25481 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25481
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code, also known as Code Injection). The flaw enables remote code execution through an incomplete security fix that was meant to address a previous code injection vulnerability (CVE-2025-46724).
The vulnerability arises from a logic error in the input validation mechanism. The _literal_ok() function was designed to validate user-supplied expressions but fails to properly handle invalid input by returning False instead of raising an exception. This silent failure allows malicious input to pass through subsequent validation stages.
More critically, the sanitization logic does not restrict access to Python's dunder (double underscore) attributes. These special attributes, such as __init__, __globals__, and __builtins__, provide access to the Python runtime internals and can be exploited to escape sandboxed environments and execute arbitrary code.
Root Cause
The root cause is twofold: (1) the _literal_ok() validation function fails silently by returning False rather than raising an UnsafeCommandError exception, creating an inconsistent security boundary, and (2) the absence of restrictions on dunder attribute access allows attackers to traverse Python's object hierarchy to access dangerous builtin functions. This combination enables attackers to chain together whitelisted DataFrame methods to ultimately access the eval builtin and execute arbitrary Python code.
Attack Vector
The attack is network-based and requires user interaction where a victim's Langroid application processes attacker-controlled input through the TableChatAgent. An attacker crafts a malicious expression that appears benign to the WAF but exploits the validation gap and dunder attribute access to achieve code execution. The attack chains whitelisted pandas DataFrame methods to navigate Python's object model, eventually reaching __builtins__ to extract and invoke the eval function with attacker-controlled code.
# Security patch in langroid/utils/pandas_utils.py
# Adds validation to block dangerous dunder and private attributes
raise UnsafeCommandError("subscript must be literal")
self.generic_visit(node)
+ # Attribute access
+ def visit_Attribute(self, node: ast.Attribute) -> None:
+ # Block dunder attributes to prevent access to __init__, __globals__, etc.
+ if node.attr.startswith("__") and node.attr.endswith("__"):
+ raise UnsafeCommandError(f"dunder attribute '{node.attr}' not allowed")
+ # Block single underscore private attributes as well for defense in depth
+ if node.attr.startswith("_") and node.attr not in WHITELISTED_DF_METHODS:
+ raise UnsafeCommandError(f"private attribute '{node.attr}' not allowed")
+ self.generic_visit(node)
+
# Method calls
def visit_Call(self, node: ast.Call) -> None:
if not isinstance(node.func, ast.Attribute):
Source: GitHub Commit Change
Detection Methods for CVE-2026-25481
Indicators of Compromise
- Unusual expressions containing dunder attributes (__init__, __globals__, __builtins__) in application logs or input fields processed by TableChatAgent
- Attempts to access private Python attributes (single underscore prefix) through pandas DataFrame operations
- Unexpected process spawning or network connections originating from Langroid application processes
- Error messages or exceptions related to attribute access violations in pandas evaluation contexts
Detection Strategies
- Implement application-level logging for all expressions passed to the pandas_eval tool and monitor for patterns attempting to access dunder or private attributes
- Deploy runtime application self-protection (RASP) solutions to detect and block code injection attempts targeting Python eval functions
- Use SentinelOne's behavioral AI to identify anomalous code execution patterns that may indicate successful exploitation
- Monitor for unexpected imports or module loading activity within Langroid application processes
Monitoring Recommendations
- Enable verbose logging in Langroid applications to capture all TableChatAgent expressions for security review
- Configure alerting for any access attempts to Python builtins through attribute chaining patterns
- Implement network monitoring to detect unusual outbound connections from LLM application servers that could indicate post-exploitation activity
How to Mitigate CVE-2026-25481
Immediate Actions Required
- Upgrade Langroid to version 0.59.32 or later immediately, as this version contains the security patch
- If immediate upgrade is not possible, disable or restrict access to the TableChatAgent functionality until patching can be completed
- Review application logs for any evidence of exploitation attempts prior to patching
- Audit any systems where Langroid is deployed with network exposure for signs of compromise
Patch Information
The vulnerability has been patched in Langroid version 0.59.32. The fix adds a new visit_Attribute method to the AST visitor that explicitly blocks access to dunder attributes (those starting and ending with double underscores) and private attributes (those starting with single underscores that are not in the whitelist). This defense-in-depth approach prevents attackers from traversing Python's object hierarchy to access dangerous builtins. For complete patch details, refer to the GitHub Commit Change and the GitHub Security Advisory GHSA-jqq5-wc57-f8hj.
Workarounds
- Disable the pandas_eval tool functionality entirely if it is not required for your application's use case
- Implement additional input validation at the application layer to reject expressions containing underscore-prefixed attributes before they reach Langroid
- Deploy network segmentation to limit the blast radius if exploitation occurs, isolating Langroid instances from sensitive internal systems
- Apply principle of least privilege to the service accounts running Langroid applications to minimize impact of successful code execution
# Upgrade Langroid to patched version
pip install --upgrade langroid>=0.59.32
# Verify installed version
pip show langroid | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
