Home

Description

Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. The attack requires a Prompt Injection in order to trick the agent to create malicious code.

PUBLISHED Reserved 2025-09-03 | Published 2025-09-03 | Updated 2025-09-03 | Assigner JFROG




HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Any version before 1.21.0
affected

References

research.jfrog.com/...on-sandbox-escape-jfsa-2025-001434277/ third-party-advisory

github.com/huggingface/smolagents/pull/1551 patch

cve.org (CVE-2025-9959)

nvd.nist.gov (CVE-2025-9959)

Download JSON