CVE-2025-46726: Langroid Vulnerable to XXE Injection via XMLToolMessage
First published: Mon May 05 2025(Updated: )
### Summary A LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information. ### Details `XMLToolMessage` uses `lxml` without safeguards: https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 `lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. Check here: https://pypi.org/project/defusedxml/#python-xml-libraries ### PoC A typical Quadratic blowup XML payload looks like this: ```xml <!DOCTYPE bomb [ <!ENTITY a "aaaaaaaaaa"> <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> ]> <bomb>&c;</bomb> ``` Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application. ### Fix Langroid 0.53.4 initializes `XMLParser` with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access. https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Langroid | <0.53.4 | |
| pip/langroid | <0.53.4 | 0.53.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f
- https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3
- https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52
- https://nvd.nist.gov/vuln/detail/CVE-2025-46726
- https://github.com/advisories/GHSA-pw95-88fg-3j6f (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-46726?
CVE-2025-46726 has a high severity rating due to the potential for denial-of-service attacks and exposure of sensitive local files.
How do I fix CVE-2025-46726?
To fix CVE-2025-46726, upgrade Langroid to version 0.53.4 or later.
What are the consequences of CVE-2025-46726?
The consequences of CVE-2025-46726 include possible denial-of-service and exposure of sensitive information from local files.
Which versions of Langroid are affected by CVE-2025-46726?
Versions of Langroid prior to 0.53.4 are affected by CVE-2025-46726.
What type of input vulnerability does CVE-2025-46726 involve?
CVE-2025-46726 involves a vulnerability to untrusted XML input that can lead to unintended consequences.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/softwarecombine
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-pw95-88fg-3j6f
- alias/CVE-2025-46726
- agent/last-modified-date
- agent/references
- collector/nvd-cve
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/langroid
- canonical/langroid
- package-manager/pip