CVE-2025-12695: DSPy security flaw enables

Q: Is CVE-2025-12695 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-12695, increasing the risk of exploitation.

Q: How to fix CVE-2025-12695?

1. AUDIT: Identify all DSPy deployments using PythonInterpreter in production (grep codebase for 'PythonInterpreter' imports). 2. DISABLE: Remove or gate PythonInterpreter usage in any pipeline accepting external or user-controlled input until a patch is available. 3. ISOLATE: Run DSPy agent processes in minimal containers with read-only root filesystems — mount only directories strictly required, deny access to /etc, /home, credential stores, and cloud metadata endpoints. 4. LEAST PRIVILEGE: Run agent processes as non-root with seccomp/AppArmor profiles; explicitly deny open/read syscalls on sensitive paths. 5. INPUT VALIDATION: Sanitize all user input before it reaches code execution paths; consider an allowlist of permitted operations. 6. MONITOR: Add file-access alerts for sensitive paths (/etc/passwd, ~/.aws, .env, /proc/self/environ) from processes running DSPy agents. 7. TRACK: Subscribe to DSPy PyPI releases and the GitHub Advisory GHSA-vvw2-h478-xwr3 for patch notification.

Q: What systems are affected by CVE-2025-12695?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic workflows, LLM-based pipelines, code execution environments, RAG pipelines.

Q: What is the CVSS score for CVE-2025-12695?

CVE-2025-12695 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.29%.

CISO Take

DSPy's PythonInterpreter has a sandbox escape with no patch available for versions ≤ 3.0.3 — any AI agent built on DSPy that processes user-controlled input and uses PythonInterpreter is exposing its host filesystem to arbitrary file reads. Immediately audit all DSPy deployments, disable PythonInterpreter in agent pipelines accepting external input, and isolate agent processes with strict filesystem restrictions until an upstream patch is released. The absence of a fix makes this a remove-or-contain decision, not a patch-and-move-on.

What is the risk?

The CVSS 5.9 Medium rating understates operational risk in agentic deployments. AC:H assumes an attacker must craft specific input — in AI agent contexts this is routinely achievable via direct user interaction or indirect prompt injection through ingested content. The High confidentiality impact is the critical factor: an attacker can read credentials, .env files, SSH keys, cloud IAM tokens, and application secrets accessible to the agent process. Organizations running DSPy agents in shared environments or with privileged filesystem access face materially higher effective risk. No patch amplifies exposure for every day this remains in production.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
DSPy	pip	<= 3.0.3	No patch
35.2K 112 dependents Pushed 5d ago 0% patched Full package profile →

Do you use DSPy? You're affected.

How severe is it?

CVSS 3.1

5.9 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

7 steps

AUDIT

Identify all DSPy deployments using PythonInterpreter in production (grep codebase for 'PythonInterpreter' imports).
DISABLE

Remove or gate PythonInterpreter usage in any pipeline accepting external or user-controlled input until a patch is available.
ISOLATE

Run DSPy agent processes in minimal containers with read-only root filesystems — mount only directories strictly required, deny access to /etc, /home, credential stores, and cloud metadata endpoints.
LEAST PRIVILEGE

Run agent processes as non-root with seccomp/AppArmor profiles; explicitly deny open/read syscalls on sensitive paths.
INPUT VALIDATION

Sanitize all user input before it reaches code execution paths; consider an allowlist of permitted operations.
MONITOR

Add file-access alerts for sensitive paths (/etc/passwd, ~/.aws, .env, /proc/self/environ) from processes running DSPy agents.
TRACK

Subscribe to DSPy PyPI releases and the GitHub Advisory GHSA-vvw2-h478-xwr3 for patch notification.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Framework Agent AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-12695?

DSPy's PythonInterpreter has a sandbox escape with no patch available for versions ≤ 3.0.3 — any AI agent built on DSPy that processes user-controlled input and uses PythonInterpreter is exposing its host filesystem to arbitrary file reads. Immediately audit all DSPy deployments, disable PythonInterpreter in agent pipelines accepting external input, and isolate agent processes with strict filesystem restrictions until an upstream patch is released. The absence of a fix makes this a remove-or-contain decision, not a patch-and-move-on.

Is CVE-2025-12695 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-12695, increasing the risk of exploitation.

How to fix CVE-2025-12695?

1. AUDIT: Identify all DSPy deployments using PythonInterpreter in production (grep codebase for 'PythonInterpreter' imports). 2. DISABLE: Remove or gate PythonInterpreter usage in any pipeline accepting external or user-controlled input until a patch is available. 3. ISOLATE: Run DSPy agent processes in minimal containers with read-only root filesystems — mount only directories strictly required, deny access to /etc, /home, credential stores, and cloud metadata endpoints. 4. LEAST PRIVILEGE: Run agent processes as non-root with seccomp/AppArmor profiles; explicitly deny open/read syscalls on sensitive paths. 5. INPUT VALIDATION: Sanitize all user input before it reaches code execution paths; consider an allowlist of permitted operations. 6. MONITOR: Add file-access alerts for sensitive paths (/etc/passwd, ~/.aws, .env, /proc/self/environ) from processes running DSPy agents. 7. TRACK: Subscribe to DSPy PyPI releases and the GitHub Advisory GHSA-vvw2-h478-xwr3 for patch notification.

What systems are affected by CVE-2025-12695?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic workflows, LLM-based pipelines, code execution environments, RAG pipelines.

What is the CVSS score for CVE-2025-12695?

CVE-2025-12695 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic workflowsLLM-based pipelinescode execution environmentsRAG pipelines

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0050 Command and Scripting Interpreter

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class.

Exploitation Scenario

An attacker interacts with a customer-facing AI assistant or internal DSPy-powered agent that uses PythonInterpreter for tool execution. They submit a crafted message — or embed instructions in a document ingested via RAG — that directs the agent to execute Python code reading sensitive files: 'open("/root/.aws/credentials").read()'. DSPy's sandbox does not restrict this operation. The LLM receives the file contents as code output and echoes them in its response. In cloud-hosted deployments, the attacker targets the instance metadata endpoint to obtain ephemeral IAM credentials, escalating to full cloud account takeover. The attack requires no authentication or special privileges beyond the ability to submit input to the agent.

Weaknesses (CWE)

CWE-653 Improper Isolation or Compartmentalization Primary CWE-653 Improper Isolation or Compartmentalization

CWE-653 — Improper Isolation or Compartmentalization: The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

[Architecture and Design] Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.

Source: MITRE CWE corpus.