{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/python-library/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["langroid (\u003c= 0.63.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","python-library","vulnerability","llm-agent"],"_cs_type":"advisory","_cs_vendors":["Langroid"],"content_html":"\u003cp\u003eA significant path traversal vulnerability, tracked as CVE-2026-50181, has been identified in Langroid's \u003ccode\u003eReadFileTool\u003c/code\u003e and \u003ccode\u003eWriteFileTool\u003c/code\u003e components, affecting all versions up to and including 0.63.0. The vulnerability stems from the tools' failure to properly validate and enforce path boundaries after changing the process working directory to a \u003ccode\u003ecurr_dir\u003c/code\u003e (current directory). While the tools intend to restrict file operations to this \u003ccode\u003ecurr_dir\u003c/code\u003e, they do not resolve the user-supplied \u003ccode\u003efile_path\u003c/code\u003e to ensure it remains within this boundary. This oversight allows an attacker to use path traversal sequences, such as \u003ccode\u003e../\u003c/code\u003e, within the \u003ccode\u003efile_path\u003c/code\u003e argument to access files located outside the intended \u003ccode\u003ecurr_dir\u003c/code\u003e. The impact is particularly critical for applications that expose these file tools to user-controlled input, Large Language Model (LLM) agents, or delegated coding/documentation agents, as it can lead to unauthorized reading of sensitive files (e.g., secrets, configuration files) or modification of arbitrary files, compromising data confidentiality and integrity. The issue is present in \u003ccode\u003elangroid/agent/tools/file_tools.py\u003c/code\u003e and \u003ccode\u003elangroid/utils/system.py\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Vulnerable Application:\u003c/strong\u003e An attacker identifies an application that integrates Langroid and exposes its \u003ccode\u003eReadFileTool\u003c/code\u003e or \u003ccode\u003eWriteFileTool\u003c/code\u003e in a way that allows user-controlled input to influence the \u003ccode\u003efile_path\u003c/code\u003e argument (e.g., via an LLM agent interface or a user-facing API).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Path:\u003c/strong\u003e The attacker crafts a \u003ccode\u003efile_path\u003c/code\u003e argument containing path traversal sequences, such as \u003ccode\u003e../\u003c/code\u003e, to reference a file outside the intended sandbox or working directory (e.g., \u003ccode\u003e../etc/passwd\u003c/code\u003e for reading, or \u003ccode\u003e../malicious_script.sh\u003c/code\u003e for writing).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInvoke Vulnerable Tool:\u003c/strong\u003e The attacker sends the crafted \u003ccode\u003efile_path\u003c/code\u003e as input to the application, which then passes it directly to an instance of \u003ccode\u003eReadFileTool\u003c/code\u003e or \u003ccode\u003eWriteFileTool\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDirectory Change (Internal):\u003c/strong\u003e Internally, the Langroid tool changes the process's current working directory to the configured \u003ccode\u003ecurr_dir\u003c/code\u003e (e.g., \u003ccode\u003e/var/app/sandbox/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnvalidated Path Resolution:\u003c/strong\u003e The tool then proceeds to open or create the file using the provided \u003ccode\u003efile_path\u003c/code\u003e argument. Due to the lack of proper validation, the \u003ccode\u003e../\u003c/code\u003e sequences are honored, causing the path to resolve outside the \u003ccode\u003ecurr_dir\u003c/code\u003e (e.g., \u003ccode\u003e/var/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecute Unauthorized File Operation:\u003c/strong\u003e The Langroid tool performs the requested operation (read or write) on the arbitrarily resolved file path outside the intended boundary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure / Data Modification:\u003c/strong\u003e If \u003ccode\u003eReadFileTool\u003c/code\u003e was used, the contents of the sensitive file are disclosed to the attacker. If \u003ccode\u003eWriteFileTool\u003c/code\u003e was used, the attacker can modify or create arbitrary files, potentially leading to further compromise, persistence, or data integrity violations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can severely impact applications that enable Langroid's file tools and rely on the \u003ccode\u003ecurr_dir\u003c/code\u003e parameter to establish a secure sandbox, project, or workspace boundary. If exploited, an attacker can read files outside the intended workspace, leading to the exposure of sensitive local secrets, configuration files, source code, environment files, or other critical project-adjacent data. Conversely, by exploiting \u003ccode\u003eWriteFileTool\u003c/code\u003e, an attacker could modify or create arbitrary files outside the designated project directory, which could lead to code injection, defacement, or disruption of services. The severity of the impact is contingent on how the Langroid file tools are exposed and the nature of the application's file system structure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-50181:\u003c/strong\u003e Upgrade the Langroid library to a version patched for CVE-2026-50181 immediately.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Path Validation:\u003c/strong\u003e For applications using Langroid file tools, implement robust path validation logic before passing any user-controlled or LLM-generated \u003ccode\u003efile_path\u003c/code\u003e arguments to \u003ccode\u003eReadFileTool\u003c/code\u003e or \u003ccode\u003eWriteFileTool\u003c/code\u003e. Ensure all resolved paths remain strictly within the intended \u003ccode\u003ecurr_dir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003ecurr_dir\u003c/code\u003e Usage:\u003c/strong\u003e Audit all instances where \u003ccode\u003eReadFileTool\u003c/code\u003e and \u003ccode\u003eWriteFileTool\u003c/code\u003e are used, verifying that the \u003ccode\u003ecurr_dir\u003c/code\u003e is correctly configured and that no sensitive files are reachable via path traversal from this directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:11:45Z","date_published":"2026-07-03T12:11:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-langroid-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-50181) exists in Langroid's `ReadFileTool` and `WriteFileTool` components (versions \u003c= 0.63.0), allowing an attacker to read or write arbitrary files outside the configured `curr_dir` via crafted `file_path` arguments, potentially leading to sensitive information disclosure or unauthorized file modification in applications exposing these tools to user or LLM input.","title":"Langroid File Tools Path Traversal Vulnerability (CVE-2026-50181)","url":"https://feed.craftedsignal.io/briefs/2026-07-langroid-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Python-Library","version":"https://jsonfeed.org/version/1.1"}