CVE-2025-12695 — MEDIUM (CVSS 5.9) AI Security Vulnerability

CISO Take

DSPy's PythonInterpreter has a sandbox escape with no patch available for versions ≤ 3.0.3 — any AI agent built on DSPy that processes user-controlled input and uses PythonInterpreter is exposing its host filesystem to arbitrary file reads. Immediately audit all DSPy deployments, disable PythonInterpreter in agent pipelines accepting external input, and isolate agent processes with strict filesystem restrictions until an upstream patch is released. The absence of a fix makes this a remove-or-contain decision, not a patch-and-move-on.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
dspy	pip	<= 3.0.3	No patch

Do you use dspy? You're affected.

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1. AUDIT: Identify all DSPy deployments using PythonInterpreter in production (grep codebase for 'PythonInterpreter' imports). 2. DISABLE: Remove or gate PythonInterpreter usage in any pipeline accepting external or user-controlled input until a patch is available. 3. ISOLATE: Run DSPy agent processes in minimal containers with read-only root filesystems — mount only directories strictly required, deny access to /etc, /home, credential stores, and cloud metadata endpoints. 4. LEAST PRIVILEGE: Run agent processes as non-root with seccomp/AppArmor profiles; explicitly deny open/read syscalls on sensitive paths. 5. INPUT VALIDATION: Sanitize all user input before it reaches code execution paths; consider an allowlist of permitted operations. 6. MONITOR: Add file-access alerts for sensitive paths (/etc/passwd, ~/.aws, .env, /proc/self/environ) from processes running DSPy agents. 7. TRACK: Subscribe to DSPy PyPI releases and the GitHub Advisory GHSA-vvw2-h478-xwr3 for patch notification.

Classification

Data Extraction Code Execution Framework Agent AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Technical Details

NVD Description

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class.

Exploitation Scenario

An attacker interacts with a customer-facing AI assistant or internal DSPy-powered agent that uses PythonInterpreter for tool execution. They submit a crafted message — or embed instructions in a document ingested via RAG — that directs the agent to execute Python code reading sensitive files: 'open("/root/.aws/credentials").read()'. DSPy's sandbox does not restrict this operation. The LLM receives the file contents as code output and echoes them in its response. In cloud-hosted deployments, the attacker targets the instance metadata endpoint to obtain ephemeral IAM credentials, escalating to full cloud account takeover. The attack requires no authentication or special privileges beyond the ability to submit input to the agent.

Weaknesses (CWE)

CWE-653 Improper Isolation or Compartmentalization Primary CWE-653

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published

November 4, 2025

Last Modified

November 4, 2025

First Seen

November 4, 2025