7.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-46726

GHSA ID

GHSA-pw95-88fg-3j6f

EPSS Score

0.17342%

CWE

CWE-611

Published

5/5/2025

Updated

5/5/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46726

CVE-2025-46726: Langroid Allows XXE Injection via XMLToolMessage

Summary

A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.

Details

XMLToolMessage uses lxml without safeguards: https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 lxml is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. Check here: https://pypi.org/project/defusedxml/#python-xml-libraries

PoC

A typical Quadratic blowup XML payload looks like this:

<!DOCTYPE bomb [
<!ENTITY a "aaaaaaaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<bomb>&c;</bomb>

Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.

Fix

Langroid 0.53.4 initializes XMLParser with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access. https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

(GitHub Advisory)

7.8

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-46726

GHSA ID

GHSA-pw95-88fg-3j6f

EPSS Score

0.17342%

CWE

CWE-611

Published

5/5/2025

Updated

5/5/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
langroid	pip	< 0.53.4	0.53.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis began by reviewing the vulnerability description, which clearly indicated that the XMLToolMessage class was vulnerable due to its use of lxml without proper safeguards, specifically pointing to the XML parsing logic. The provided commit 36e7e7db4dd1636de225c2c66c84052b1e9ac3c3 was then examined. The commit diff showed modifications in langroid/agent/xml_tool_message.py directly addressing this issue. The extract_field_values method within the XMLToolMessage class was identified as the location of the vulnerable code. The patch modified the initialization of lxml.etree.XMLParser within this method to include security flags (resolve_entities=False, load_dtd=False, no_network=True) to prevent XXE and related attacks. Therefore, the extract_field_values method, in its state prior to this patch, is the vulnerable function as it directly handled the insecure parsing of XML input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * LLM *ppli**tion l*v*r**in* `XMLToolM*ss***` *l*ss m*y ** *xpos** to untrust** XML input t**t *oul* r*sult in *oS *n*/or *xposin* lo**l *il*s wit* s*nsitiv* in*orm*tion. ### **t*ils `XMLToolM*ss***` us*s `lxml` wit*out s****u*r*s: *ttps

Reasoning

T** *n*lysis ****n *y r*vi*win* t** vuln*r**ility **s*ription, w*i** *l**rly in*i**t** t**t t** `XMLToolM*ss***` *l*ss w*s vuln*r**l* *u* to its us* o* `lxml` wit*out prop*r s****u*r*s, sp**i*i**lly pointin* to t** XML p*rsin* lo*i*. T** provi*** *om

7.8

Basic Information

Concerned about an active attack path?

CVE-2025-46726: Langroid Allows XXE Injection via XMLToolMessage

Summary

Details

PoC

Fix

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI