CVE-2026-25481
Published: 04 February 2026
Summary
CVE-2026-25481 is a critical-severity Code Injection (CWE-94) vulnerability in Langroid Langroid. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents code injection by validating and sanitizing user-supplied expressions passed to the pandas_eval tool, blocking malicious chains accessing dunder attributes like __globals__ and __builtins__.
Ensures timely remediation through patching to version 0.59.32, which fixes the WAF bypass in _literal_ok() and restricts dangerous dunder attributes.
Minimizes exposure by disabling or restricting nonessential capabilities like the TableChatAgent and pandas_eval tool unless operationally required.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection in web-exposed Langroid TableChatAgent (WAF bypass to Python eval) directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) for arbitrary code execution on the host.
NVD Description
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code…
more
injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32.
Deeper analysisAI
CVE-2026-25481 is a code injection vulnerability affecting Langroid, a framework for building large-language-model-powered applications. In versions prior to 0.59.32, the TableChatAgent component can invoke the pandas_eval tool to evaluate expressions, bypassing a Web Application Firewall (WAF) introduced in langroid/utils/pandas_utils.py to mitigate CVE-2025-46724. The bypass occurs because the _literal_ok() function returns False on invalid input instead of raising an UnsafeCommandError, while dangerous dunder attributes such as __init__, __globals__, and __builtins__ remain unrestricted. This enables attackers to chain whitelisted DataFrame methods to access the eval builtin and execute arbitrary code.
The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges required, but user interaction needed, and a changed scope with high impacts on confidentiality, integrity, and availability. Attackers can exploit it by crafting malicious input that tricks users into processing it via a vulnerable Langroid application using TableChatAgent, such as in an LLM-driven interface handling table data. Successful exploitation grants arbitrary code execution on the host system.
The issue has been addressed in Langroid version 0.59.32. Official advisories and the patching commit are available on GitHub, including the security advisory GHSA-jqq5-wc57-f8hj, related advisory GHSA-x34r-63hx-w57f for the prior CVE, and commit 30abbc1a854dee22fbd2f8b2f575dfdabdb603ea detailing the fix.
This vulnerability is particularly relevant to AI/ML deployments, as Langroid targets LLM-powered applications, and it stems from CWE-94 (improper control of code generation). No public reports of real-world exploitation are noted as of the CVE publication on 2026-02-04.
Details
- CWE(s)