Hugging Face Smolagents Code Injection Vulnerability in Local Python Executor
Vulnerability
A code injection vulnerability has been identified in Hugging Face Smolagents version 1.25.0.dev0. This issue arises in the Local Python Executor component, specifically within the evaluate_augassign, evaluate_call, and evaluate_with functions. The vulnerability is an incomplete fix for a previous issue (CVE-2025-9959) and allows for remote code execution by exploiting dunder methods that have been improperly validated.
Impact
Exploitation of this vulnerability leads to unauthorized code execution on the host system where Smolagents is running.
Reproduction
To reproduce this vulnerability, first install Smolagents version 1.25.0.dev0. Then, create an instance of the Local Python Executor. The vulnerability can be exploited by sending a prompt that includes a class definition with a malicious __str__ or __repr__ method, which is then processed by the executor. This method can use the generator frame escape primitive to manipulate the execution environment and import unauthorized modules, such as os, to execute arbitrary commands.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.