Letta-AI Letta Remote Code Execution Vulnerability via Eval Injection in Type Coercion

A remote code execution vulnerability has been identified in Letta-AI Letta version 0.16.4. This issue arises from an eval injection in the type annotation coercion process, which is an incomplete fix for a previous vulnerability, CVE-2025-6101. The problem is located in the 'resolve_type' function within 'letta/functions/ast_parsers.py'. The vulnerability allows improper neutralization of directives in dynamically evaluated code, and can be exploited remotely without authentication.

Impact

Exploitation of this vulnerability leads to full remote code execution on the Letta server. The injected code runs in a sandboxed subprocess on the same machine, with default permissions allowing full filesystem and network access. An attacker could execute arbitrary OS commands as root, access sensitive server information such as API keys and database passwords, pivot to internal networks, and potentially install backdoors or exfiltrate data.

Reproduction

To reproduce this vulnerability, deploy Letta version 0.16.4 and define a tool with a malicious type annotation that includes a Python expression capable of executing arbitrary commands. Submit the tool and trigger its execution via the '/v1/tools/run' endpoint. The server will evaluate the annotation during type coercion, executing the injected code and resulting in remote code execution on the server.