AI Threat Alert
CVE-2025-11844: smolagents: security flaw enables exploitation
GHSA-8mf9-rmgw-33qc MEDIUM PoC AVAILABLE CISA: TRACK*If your team uses HuggingFace smolagents for any web automation or agentic browsing task, upgrade to v1.22.0 immediately — the fix is one pip install. The risk is not the CVSS score; it is that a malicious webpage can manipulate what your AI agent sees and acts on, turning your automated workflow into an attacker-controlled one. Until patched, restrict agent web access to allowlisted trusted domains.
Risk Assessment
Contextual risk exceeds the CVSS 5.4 (medium) for organizations running agentic AI pipelines. The vulnerability requires no privileges and targets a common autonomous browsing pattern — any smolagents deployment that allows agents to browse arbitrary web content is in scope. EPSS of 0.00041 confirms no active mass exploitation, but the attack surface is growing as agentic AI adoption accelerates. The real risk is integrity of agent decisions, not data breach directly.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| smolagents | pip | — | No patch |
| smolagents | pip | < 1.22.0 | 1.22.0 |
Severity & Risk
Attack Surface
Recommended Action
1 step-
1) Patch:
pip install smolagents>=1.22.0— the fix is available and targeted (commit f570ed5e). 2) If patching is blocked, disable vision_web_browser.py usage or gate it behind domain allowlisting. 3) Add input sanitization at the tool interface layer for any XPath-consuming functions. 4) Instrument agent tool calls with logging to detect anomalous DOM query patterns. 5) Review all custom forks or copies of vision_web_browser.py — the issue is in a specific function that may have been copy-pasted. 6) Cross-check huntr PoC (linked in references) against your deployment to confirm exploitability in your specific configuration.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-11844?
If your team uses HuggingFace smolagents for any web automation or agentic browsing task, upgrade to v1.22.0 immediately — the fix is one pip install. The risk is not the CVSS score; it is that a malicious webpage can manipulate what your AI agent sees and acts on, turning your automated workflow into an attacker-controlled one. Until patched, restrict agent web access to allowlisted trusted domains.
Is CVE-2025-11844 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2025-11844, increasing the risk of exploitation.
How to fix CVE-2025-11844?
1) Patch: `pip install smolagents>=1.22.0` — the fix is available and targeted (commit f570ed5e). 2) If patching is blocked, disable vision_web_browser.py usage or gate it behind domain allowlisting. 3) Add input sanitization at the tool interface layer for any XPath-consuming functions. 4) Instrument agent tool calls with logging to detect anomalous DOM query patterns. 5) Review all custom forks or copies of vision_web_browser.py — the issue is in a specific function that may have been copy-pasted. 6) Cross-check huntr PoC (linked in references) against your deployment to confirm exploitability in your specific configuration.
What systems are affected by CVE-2025-11844?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, web automation pipelines, AI browsing agents, multi-step agentic workflows, LLM tool-use integrations.
What is the CVSS score for CVE-2025-11844?
CVE-2025-11844 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.05%.
Technical Details
NVD Description
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.
Exploitation Scenario
An attacker publishes a legitimate-looking webpage (e.g., a fake CVE summary site, a phishing page, or injected content on a compromised site). A smolagents-based agent browsing the web as part of a research or automation workflow calls `search_item_ctrl_f` to locate specific text. The attacker-controlled page contains XPath injection syntax embedded in visible text elements. The unsanitized input alters the XPath query, causing the function to return unintended DOM nodes — leaking hidden form data, bypassing content visibility filters, or feeding the agent incorrect page context. In a multi-step workflow, the agent proceeds to take actions (clicks, data extraction, report generation) based on this manipulated view.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same package: smolagents CVE-2025-14931 10.0 Analysis pending
Same package: smolagents CVE-2026-2654 9.8 smolagents: SSRF allows internal network access
Same package: smolagents CVE-2026-4963 6.3 smolagents: code injection via incomplete sandbox fix
Same package: smolagents CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction