Submit #777623: HuggingFace smolagents 1.25.0.dev0 CWE-693info

TitleHuggingFace smolagents 1.25.0.dev0 CWE-693
Description# Technical Details A Sandbox Escape via Augmented Assignment Dunder Read Bypass exists in the evaluate_augassign() function in src/smolagents/local_python_executor.py (lines 652-654) of smolagents. This is an incomplete fix for CVE-2025-9959. The CVE-2025-9959 fix added a dunder attribute access block in evaluate_attribute (line 390), but evaluate_augassign contains its own internal helper get_current_value that reads attribute values through a completely independent code path using raw getattr() without any dunder check. Similarly, the set_value function (line 822) writes attributes via raw setattr() without any dunder check. # Vulnerable Code File: src/smolagents/local_python_executor.py (lines 652-654) Method: evaluate_augassign.get_current_value() Why: Uses raw getattr(obj, target.attr) to read attribute values without checking for dunder attributes. This bypasses the dunder block in evaluate_attribute. File: src/smolagents/local_python_executor.py (lines 820-822) Method: set_value() Why: Uses raw setattr(obj, target.attr, value) to write attribute values without checking for dunder attributes, allowing __code__ overwrite. # Reproduction 1. Install smolagents (pip install smolagents). 2. Create a LocalPythonExecutor instance. 3. Execute code that uses augmented assignment on __code__ (e.g., victim.__code__ += Trap()) - this bypasses the dunder check. 4. The Trap class uses __radd__ to capture the code object, then constructs a malicious CodeType with RCE bytecode. 5. Overwrite the victim function's __code__ with the malicious code and call it - achieves arbitrary command execution. # Impact - Full Remote Code Execution on the host system. - Any smolagents CodeAgent using default LocalPythonExecutor is vulnerable. - Exploitable via prompt injection in content the agent processes.
Source⚠️ https://gist.github.com/YLChen-007/7146f45960f79bc1e2976fed526e0a9b
User
 Eric-z (UID 95890)
Submission03/11/2026 14:23 (18 days ago)
Moderation03/27/2026 09:18 (16 days later)
StatusAccepted
VulDB entry353840 [huggingface smolagents 1.25.0.dev0 Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_augassign/evaluate_call/evaluate_with code injection]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!