Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store
Vulnerability Description
Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Langroid 代码注入漏洞
Vulnerability Description
Langroid是Langroid开源的一个利用多代理编程开发LLM的工具。 Langroid 0.53.15之前版本存在代码注入漏洞,该漏洞源于LanceDocChatAgent通过compute_from_docs使用pandas eval处理未经验证的用户输入,可能导致执行恶意命令。
CVSS Information
N/A
Vulnerability Type
N/A