CVE-2025-46724: Langroid has a Code Injection vulnerability in TableChatAgent

May 20, 2025

TableChatAgent uses pandas eval(). If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection.

References

github.com/advisories/GHSA-jqq5-wc57-f8hj
github.com/langroid/langroid
github.com/langroid/langroid/commit/0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6
github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj
nvd.nist.gov/vuln/detail/CVE-2025-46724

Code Behaviors & Features

Detect and mitigate CVE-2025-46724 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →