griptape-tools 0.16.3

Direct Vulnerabilities

Known vulnerabilities in the griptape-tools package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M SQL Injection griptape-tools is a Tools for the Griptape framework. Affected versions of this package are vulnerable to SQL Injection through the `execute_query` path in the SQL tool and loader components. An attacker can execute malicious SQL against the connected database by prompt-injecting the LLM to supply unsafe `sql_query` input. In affected deployments, this can lead to remote code execution on databases that support command execution features such as PostgreSQL `COPY ... FROM PROGRAM`, as well as arbitrary file read/write, data exfiltration, or denial of service through destructive or resource-intensive queries. How to fix SQL Injection? There is no fixed version for `griptape-tools`.	[0.5.0,)
L Directory Traversal griptape-tools is a Tools for the Griptape framework. Affected versions of this package are vulnerable to Directory Traversal via the `filename` handling in the code-writing path used by `execute_code_in_container` in `griptape/tools/computer/tool.py`. An attacker can write arbitrary files on the host by prompting the agent to supply a crafted `filename` such as `../../...` and controlling the code content written to that path. This issue affects agents that use `ComputerTool` to write code into a local working directory before container execution; the write can escape the intended workdir and overwrite files with the privileges of the Griptape process. How to fix Directory Traversal? There is no fixed version for `griptape-tools`.	[0.16.0,)

Vulnerability

Vulnerable Version

SQL Injection

griptape-tools is a Tools for the Griptape framework.

Affected versions of this package are vulnerable to SQL Injection through the execute_query path in the SQL tool and loader components. An attacker can execute malicious SQL against the connected database by prompt-injecting the LLM to supply unsafe sql_query input. In affected deployments, this can lead to remote code execution on databases that support command execution features such as PostgreSQL COPY ... FROM PROGRAM, as well as arbitrary file read/write, data exfiltration, or denial of service through destructive or resource-intensive queries.

How to fix SQL Injection?

There is no fixed version for griptape-tools.

[0.5.0,)

Directory Traversal

griptape-tools is a Tools for the Griptape framework.

Affected versions of this package are vulnerable to Directory Traversal via the filename handling in the code-writing path used by execute_code_in_container in griptape/tools/computer/tool.py. An attacker can write arbitrary files on the host by prompting the agent to supply a crafted filename such as ../../... and controlling the code content written to that path. This issue affects agents that use ComputerTool to write code into a local working directory before container execution; the write can escape the intended workdir and overwrite files with the privileges of the Griptape process.

How to fix Directory Traversal?

There is no fixed version for griptape-tools.

[0.16.0,)

griptape-tools@0.16.3

Tools for the Griptape framework.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically