Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/langroid@0.63.0
purl pkg:pypi/langroid@0.63.0
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-au4v-vbxp-ebb9 Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input — including indirectly via data returned to the LLM — can coerce execution of dialect-specific primitives such as `COPY ... FROM PROGRAM`, achieving RCE on the database host. Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allow_dangerous_operations=True restores the previous unrestricted behavior for trusted deployments. CVE-2026-25879
GHSA-mxfr-6hcw-j9rq

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T07:50:56.744141+00:00 GithubOSV Importer Fixing VCID-au4v-vbxp-ebb9 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mxfr-6hcw-j9rq/GHSA-mxfr-6hcw-j9rq.json 38.6.0
2026-06-11T20:38:51.759035+00:00 GHSA Importer Fixing VCID-au4v-vbxp-ebb9 https://github.com/advisories/GHSA-mxfr-6hcw-j9rq 38.6.0