smolagents 1.24.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the smolagents package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via `requests.post` in `LocalPythonExecutor`, which doesn't filter outgoing requests made with authorized imported modules. An attacker can import a module like `requests` and use it to make arbitrary requests to internal resources. How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `smolagents`.	[0,)
H Deserialization of Untrusted Data smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of pickle data. An attacker can execute arbitrary code by sending specially crafted pickle data to the service. Note: The report was rejected for being out of scope for the bug bounty program. The package maintainers closed the case as a duplicate of another report. See the security policy for more information. How to fix Deserialization of Untrusted Data? There is no fixed version for `smolagents`.	[0,)

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via requests.post in LocalPythonExecutor, which doesn't filter outgoing requests made with authorized imported modules. An attacker can import a module like requests and use it to make arbitrary requests to internal resources.

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for smolagents.

[0,)

Deserialization of Untrusted Data

smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of pickle data. An attacker can execute arbitrary code by sending specially crafted pickle data to the service.

Note:

The report was rejected for being out of scope for the bug bounty program.

The package maintainers closed the case as a duplicate of another report.

See the security policy for more information.

How to fix Deserialization of Untrusted Data?

There is no fixed version for smolagents.

[0,)

smolagents@1.24.0 vulnerabilities

🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically