AI Threat Alert AI Threat Alert

CVE-2025-12695: dspy: security flaw enables exploitation

GHSA-vvw2-h478-xwr3 MEDIUM PoC AVAILABLE CISA: TRACK*
Published November 4, 2025
CISO Take

DSPy's PythonInterpreter has a sandbox escape with no patch available for versions ≤ 3.0.3 — any AI agent built on DSPy that processes user-controlled input and uses PythonInterpreter is exposing its host filesystem to arbitrary file reads. Immediately audit all DSPy deployments, disable PythonInterpreter in agent pipelines accepting external input, and isolate agent processes with strict filesystem restrictions until an upstream patch is released. The absence of a fix makes this a remove-or-contain decision, not a patch-and-move-on.

Risk Assessment

The CVSS 5.9 Medium rating understates operational risk in agentic deployments. AC:H assumes an attacker must craft specific input — in AI agent contexts this is routinely achievable via direct user interaction or indirect prompt injection through ingested content. The High confidentiality impact is the critical factor: an attacker can read credentials, .env files, SSH keys, cloud IAM tokens, and application secrets accessible to the agent process. Organizations running DSPy agents in shared environments or with privileged filesystem access face materially higher effective risk. No patch amplifies exposure for every day this remains in production.

Affected Systems

Package Ecosystem Vulnerable Range Patched
dspy pip <= 3.0.3 No patch

Do you use dspy? You're affected.

Severity & Risk

CVSS 3.1
5.9 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C High
I None
A None

Recommended Action

7 steps

  1. AUDIT

    Identify all DSPy deployments using PythonInterpreter in production (grep codebase for 'PythonInterpreter' imports).

  2. DISABLE

    Remove or gate PythonInterpreter usage in any pipeline accepting external or user-controlled input until a patch is available.

  3. ISOLATE

    Run DSPy agent processes in minimal containers with read-only root filesystems — mount only directories strictly required, deny access to /etc, /home, credential stores, and cloud metadata endpoints.

  4. LEAST PRIVILEGE

    Run agent processes as non-root with seccomp/AppArmor profiles; explicitly deny open/read syscalls on sensitive paths.

  5. INPUT VALIDATION

    Sanitize all user input before it reaches code execution paths; consider an allowlist of permitted operations.

  6. MONITOR

    Add file-access alerts for sensitive paths (/etc/passwd, ~/.aws, .env, /proc/self/environ) from processes running DSPy agents.

  7. TRACK

    Subscribe to DSPy PyPI releases and the GitHub Advisory GHSA-vvw2-h478-xwr3 for patch notification.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Framework Agent AML.T0037 AML.T0050 AML.T0051.001 AML.T0053 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-12695?

DSPy's PythonInterpreter has a sandbox escape with no patch available for versions ≤ 3.0.3 — any AI agent built on DSPy that processes user-controlled input and uses PythonInterpreter is exposing its host filesystem to arbitrary file reads. Immediately audit all DSPy deployments, disable PythonInterpreter in agent pipelines accepting external input, and isolate agent processes with strict filesystem restrictions until an upstream patch is released. The absence of a fix makes this a remove-or-contain decision, not a patch-and-move-on.

Is CVE-2025-12695 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-12695, increasing the risk of exploitation.

How to fix CVE-2025-12695?

1. AUDIT: Identify all DSPy deployments using PythonInterpreter in production (grep codebase for 'PythonInterpreter' imports). 2. DISABLE: Remove or gate PythonInterpreter usage in any pipeline accepting external or user-controlled input until a patch is available. 3. ISOLATE: Run DSPy agent processes in minimal containers with read-only root filesystems — mount only directories strictly required, deny access to /etc, /home, credential stores, and cloud metadata endpoints. 4. LEAST PRIVILEGE: Run agent processes as non-root with seccomp/AppArmor profiles; explicitly deny open/read syscalls on sensitive paths. 5. INPUT VALIDATION: Sanitize all user input before it reaches code execution paths; consider an allowlist of permitted operations. 6. MONITOR: Add file-access alerts for sensitive paths (/etc/passwd, ~/.aws, .env, /proc/self/environ) from processes running DSPy agents. 7. TRACK: Subscribe to DSPy PyPI releases and the GitHub Advisory GHSA-vvw2-h478-xwr3 for patch notification.

What systems are affected by CVE-2025-12695?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic workflows, LLM-based pipelines, code execution environments, RAG pipelines.

What is the CVSS score for CVE-2025-12695?

CVE-2025-12695 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class.

Exploitation Scenario

An attacker interacts with a customer-facing AI assistant or internal DSPy-powered agent that uses PythonInterpreter for tool execution. They submit a crafted message — or embed instructions in a document ingested via RAG — that directs the agent to execute Python code reading sensitive files: 'open("/root/.aws/credentials").read()'. DSPy's sandbox does not restrict this operation. The LLM receives the file contents as code output and echoes them in its response. In cloud-hosted deployments, the attacker targets the instance metadata endpoint to obtain ephemeral IAM credentials, escalating to full cloud account takeover. The attack requires no authentication or special privileges beyond the ability to submit input to the agent.

Weaknesses (CWE)

CWE-653 Improper Isolation or Compartmentalization Primary CWE-653

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
November 4, 2025
Last Modified
November 4, 2025
First Seen
November 4, 2025

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed