CVE-2025-5120: RCE in huggingface/smolagents
Platform
python
Component
smolagents
Fixed in
1.17.0
1.17.0
CVE-2025-5120 is a critical remote code execution (RCE) vulnerability discovered in huggingface/smolagents versions up to 1.9.2. This flaw allows attackers to bypass the intended sandbox environment and execute arbitrary code on the host system. The vulnerability resides within the localpythonexecutor.py module, where inadequate restrictions on Python code execution permit exploitation of whitelisted modules and functions. A patch is available in version 1.17.0.
Detect this CVE in your project
Upload your requirements.txt file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The impact of CVE-2025-5120 is severe. Successful exploitation allows an attacker to execute arbitrary code within the context of the smolagents process, effectively gaining control of the host system. This could lead to data theft, system compromise, and potential lateral movement within the network. The vulnerability's ability to bypass the intended sandbox significantly expands the attack surface, as it circumvents security measures designed to isolate untrusted code. The lack of robust restrictions on whitelisted modules means attackers can leverage seemingly benign functions to achieve malicious goals. This is particularly concerning in environments where smolagents is used to process untrusted input or interact with sensitive data.
Exploitation Context
CVE-2025-5120 was publicly disclosed on 2025-07-27. The vulnerability's severity and ease of exploitation suggest a medium probability of exploitation (EPSS score pending). Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation. Monitor security advisories and threat intelligence feeds for updates on exploitation attempts and potential attack campaigns.
Threat Intelligence
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-5120 is to upgrade to version 1.17.0 or later of huggingface/smolagents. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the localpythonexecutor.py module and carefully review the whitelisted modules and functions to ensure they are not exploitable. Implement strict input validation and sanitization to prevent malicious code from being injected into the execution environment. Monitor system logs for suspicious activity related to Python processes and smolagents execution. After upgrading, confirm the fix by attempting to execute code through the localpythonexecutor.py module and verifying that the sandbox restrictions are properly enforced.
How to fix
Update the huggingface/smolagents library to version 1.17.0 or higher. This will resolve the sandbox escape vulnerability. You can update using `pip install huggingface/smolagents==1.17.0` or an equivalent command from your package manager.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-5120 — RCE in huggingface/smolagents?
CVE-2025-5120 is a critical remote code execution vulnerability in huggingface/smolagents versions up to 1.9.2. It allows attackers to bypass the sandbox and execute arbitrary code on the host system.
Am I affected by CVE-2025-5120 in huggingface/smolagents?
You are affected if you are using huggingface/smolagents versions 1.14.0 through 1.9.2. Upgrade to version 1.17.0 or later to mitigate the risk.
How do I fix CVE-2025-5120 in huggingface/smolagents?
The recommended fix is to upgrade to version 1.17.0 or later of huggingface/smolagents. If upgrading is not possible, implement temporary workarounds such as restricting access to the vulnerable module.
Is CVE-2025-5120 being actively exploited?
While active exploitation has not been confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. Monitor security advisories for updates.
Where can I find the official huggingface advisory for CVE-2025-5120?
Refer to the official huggingface security advisory for detailed information and updates regarding CVE-2025-5120: [https://huggingface.co/security/CVE-2025-5120](https://huggingface.co/security/CVE-2025-5120)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.