CVE-2025-12695: DSPy does not properly restrict file reads

November 4, 2025

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class.

References

github.com/advisories/GHSA-vvw2-h478-xwr3
github.com/stanfordnlp/dspy
nvd.nist.gov/vuln/detail/CVE-2025-12695
research.jfrog.com/vulnerabilities/dspy-sandbox-escape-arbitrary-file-read-jfsa-2025-001495652

Code Behaviors & Features

Detect and mitigate CVE-2025-12695 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →