Miggo Logo
Miggo Vulnerability Database
CVE-2025-64168

CVE-2025-64168: Agno session state overwrites between different sessions/users

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-64168
GHSA ID
GHSA-vw84-hprm-cxmm
EPSS Score
0.06546%
CWE
CWE-362
Published
10/31/2025
Updated
10/31/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
agnopip>= 2.0.0, < 2.2.22.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a race condition in the agno library that occurs when Agent or Team instances handle concurrent run or arun requests. The root cause was the use of shared instance variables (e.g., _tools_for_model, _functions_for_model) to store tool definitions that were dynamically generated for each execution. The session_state, which contains user-specific data, was being bound to these tools.

Under high concurrency, a race condition could occur: one execution thread could generate its tools and bind its session_state, but before it finished, another thread could overwrite the shared tool definitions with its own tools and session_state. This would cause the first thread to proceed with the second thread's session data, leading to information disclosure between users.

The patch, identified in commit e33e12e127431bfcfb0ef9f673745f8f369bdbf6, resolves this issue by refactoring the tool handling logic. Instead of storing tool definitions in instance variables, the code was changed to process them as local variables within the scope of each run or arun call. This ensures that each execution has its own isolated set of tools and that session_state cannot leak between concurrent requests. The vulnerable functions are the public run and arun methods of the Agent and Team classes, as they are the entry points for triggering this race condition.

Vulnerable functions

Agent.run
libs/agno/agno/agent/agent.py
The `run` method was vulnerable to a race condition because it relied on shared instance variables (`_tools_for_model`, `_functions_for_model`) to store tool definitions that were dynamically generated for each run. When multiple `run` calls were executed concurrently, they would overwrite this shared state. This could lead to a `session_state` from one user's session being attached to the tools of another user's session, causing data leakage. The patch resolves this by processing tools as local variables within the scope of each `run` call, thus isolating them and preventing the race condition.
Agent.arun
libs/agno/agno/agent/agent.py
The `arun` method was vulnerable to the same race condition as `run`. Concurrent executions of `arun` could lead to the `session_state` of one session being incorrectly associated with another session's tools due to the use of shared instance variables for storing tool configurations. The fix isolates tool processing within the scope of each `arun` call by using local variables, thereby eliminating the possibility of state corruption between concurrent runs.
Team.run
libs/agno/agno/team/team.py
The `Team.run` method suffered from a race condition vulnerability identical to `Agent.run`. Tool configurations, including the `session_state`, were stored in shared instance variables. Under high concurrency, this could cause one user's session data to leak into another user's session. The patch mitigates this by ensuring that tool definitions are handled as local variables within each `run` call, preventing state from being shared across concurrent executions.
Team.arun
libs/agno/agno/team/team.py
The `Team.arun` method was vulnerable to a race condition where concurrent calls could lead to `session_state` being overwritten and shared between different sessions. This was due to tool definitions being stored in instance variables. The fix ensures that each `arun` call processes its own set of tools as local variables, preventing data leakage between concurrent sessions.

WAF Protection Rules

WAF Rule

### Imp**t Un**r **rt*in *on*itions (un**r *i** *on*urr*n*y), w**n `s*ssion_st*t*` is p*ss** to *n ***nt or T**m *urin* run or *run **lls, * r*** *on*ition **n o**ur, **usin* * `s*ssion_st*t*` to ** *ssi*n** *n* p*rsist** to t** in*orr**t s*ssion. T*

Reasoning

T** vuln*r**ility is * r*** *on*ition in t** `**no` li*r*ry t**t o**urs w**n `***nt` or `T**m` inst*n**s **n*l* *on*urr*nt `run` or `*run` r*qu*sts. T** root **us* w*s t** us* o* s**r** inst*n** v*ri**l*s (*.*., `_tools_*or_mo**l`, `_*un*tions_*or_mo