Snyk Security Database

adril7123 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of pickle data. An attacker can execute arbitrary code by sending specially crafted pickle data to the service.

Note:

The report was rejected for being out of scope for the bug bounty program.

The package maintainers closed the case as a duplicate of another report.

See the security policy for more information.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the GetAsanaObject processor, which uses generic Java object serialization and deserialization without filtering. An attacker can execute arbitrary code by supplying crafted serialized objects to the configured cache server.

Note: This is only exploitable if the system is running with the GetAsanaObject processor and the attacker has direct access to the configured cache server.