Use of Incorrectly-Resolved Name or Reference Affecting strands-agents package, versions [,1.18.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-STRANDSAGENTS-14157238
- published5 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
CVE NOT AVAILABLE CWE-706 (opens in a new tab)How to fix?
Upgrade strands-agents to version 1.18.0 or higher.
Overview
strands-agents is an A model-driven approach to building AI agents in just a few lines of code
Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via dynamic tool module registration in ToolLoader. The load_tools_from_file_path and load_python_tools helpers insert tool modules into sys.modules under names taken directly from the tool file’s base_name or the tool_name argument without validation or namespacing. An attacker can load a tool whose name matches a standard library or internal module, overwriting that entry in sys.modules and hijacking subsequent imports, potentially altering SDK or application behavior.