GHSA-22c2-9gwg-mj59
Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store
상세
### Summary [LanceDocChatAgent](https://github.com/langroid/langroid/blob/main/langroid/agent/special/lance_doc_chat_agent.py#L158) uses pandas eval() through `compute_from_docs()`: https://github.com/langroid/langroid/blob/18667ec7e971efc242505196f6518eb19a0abc1c/langroid/vector_store/base.py#L136-L150
As a result, an attacker may be able to make the agent run malicious commands through [QueryPlan.dataframe_calc](https://github.com/langroid/langroid/blob/main/langroid/agent/special/lance_tools.py#L16) compromising the host system.
### Fix Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.