CVE-2025-51482
Published: 22 July 2025
Summary
CVE-2025-51482 is a high-severity Code Injection (CWE-94) vulnerability in Letta Letta. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates inputs to the /v1/tools/run_tool_from_source endpoint to block crafted payloads that enable code injection and bypass sandbox restrictions.
Enforces process isolation and sandboxing to prevent arbitrary Python code execution even if payloads reach the tool runner.
Remediates the specific flaw in letta.server.rest_api.routers.v1.tools.run_tool_from_source by applying the available patch from pull request 2630.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a public-facing REST API endpoint (/v1/tools/run), allowing arbitrary Python code and system command execution by bypassing inadequate sandbox restrictions.
NVD Description
Remote Code Execution in letta.server.rest_api.routers.v1.tools.run_tool_from_source in letta-ai Letta 0.7.12 allows remote attackers to execute arbitrary Python code and system commands via crafted payloads to the /v1/tools/run endpoint, bypassing intended sandbox restrictions.
Deeper analysisAI
CVE-2025-51482 is a remote code execution vulnerability affecting letta-ai Letta version 0.7.12, specifically in the letta.server.rest_api.routers.v1.tools.run_tool_from_source component. Published on 2025-07-22, it enables remote attackers to execute arbitrary Python code and system commands by sending crafted payloads to the /v1/tools/run endpoint, bypassing intended sandbox restrictions. The issue is classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability is exploitable by unauthenticated remote attackers over the network with low complexity, though it requires user interaction. Successful exploitation grants high-impact remote code execution, compromising confidentiality, integrity, and availability on the targeted system.
Mitigation is addressed in the letta-ai Letta GitHub repository (https://github.com/letta-ai/letta) and via pull request 2630 (https://github.com/letta-ai/letta/pull/2630), with additional details in Gecko Security's blog post (https://www.gecko.security/blog/cve-2025-51482). Security practitioners should apply the patch and review deployments of Letta 0.7.12 or earlier.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Letta is an open-source framework for building stateful AI agents with tool execution capabilities. The vulnerability occurs in the REST API endpoint for running tools from source code (/v1/tools/run), which is a core integration point for agent tool protocols, allowing arbitrary code execution due to inadequate sandboxing.