漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store
Vulnerability Description
Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Langroid 代码注入漏洞
Vulnerability Description
Langroid是Langroid开源的一个利用多代理编程开发LLM的工具。 Langroid 0.53.15之前版本存在代码注入漏洞,该漏洞源于LanceDocChatAgent通过compute_from_docs使用pandas eval处理未经验证的用户输入,可能导致执行恶意命令。
CVSS Information
N/A
Vulnerability Type
N/A