CVE-2025-55178 | THREATINT

Description

Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote code execution.

PUBLISHED Reserved 2025-08-08 | Published 2025-09-24 | Updated 2025-09-24 | Assigner Meta

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

0.0.0 before 0.2.20

affected

References

www.facebook.com/security/advisories/cve-2025-55178

github.com/llamastack/llama-stack/pull/3281

github.com/llamastack/llama-stack/releases/tag/v0.2.20

cve.org (CVE-2025-55178)

nvd.nist.gov (CVE-2025-55178)

Download JSON