MEDIUM 5.3
PYSEC-2026-1571
Llama Stack could potentially allow for remote code execution
Details
Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote code execution.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / llama-stack
Introduced in:
0 Fixed in: 0.2.20 Fix
pip install --upgrade 'llama-stack>=0.2.20' References
- https://nvd.nist.gov/vuln/detail/CVE-2025-55178 [ADVISORY]
- https://github.com/llamastack/llama-stack/pull/3281 [WEB]
- https://github.com/llamastack/llama-stack/commit/efdb5558b8dcab4d141678bfed0a405e2f312b6f [WEB]
- https://github.com/llamastack/llama-stack [PACKAGE]
- https://github.com/llamastack/llama-stack/releases/tag/v0.2.20 [WEB]
- https://www.facebook.com/security/advisories/cve-2025-55178 [WEB]
- https://pypi.org/project/llama-stack [PACKAGE]
- https://github.com/advisories/GHSA-x75h-m6jj-6cj2 [ADVISORY]