AI Threat Alert

CVE-2025-14931: smolagents: RCE via pickle deserialization in executor

GHSA-q9r5-6hrr-9ph7 CRITICAL
Published December 23, 2025
CISO Take

CVE-2025-14931 is a CVSS 10.0 remote code execution vulnerability in Hugging Face smolagents' Remote Python Executor, where an unauthenticated attacker can send maliciously crafted pickle data over the network to execute arbitrary code as the service account — no credentials, no user interaction required. With 88 downstream dependents and a top-11% EPSS score, any organization running smolagents-based agent pipelines has direct exposure, and service accounts in AI agent deployments typically hold LLM API keys, cloud credentials, and database access that dramatically amplify post-exploitation blast radius. While not yet in CISA KEV and no public exploit is confirmed, the maximum CVSS score and zero-auth network vector put this firmly in tier-1 patch priority territory. Upgrade beyond smolagents 1.23.0 immediately; if no patched release is available yet, isolate the Remote Python Executor behind network controls and restrict access to trusted internal systems only.

Sources: NVD EPSS GitHub Advisory ATLAS ZDI Advisory

What is the risk?

CRITICAL. The combination of CVSS 10.0, no authentication requirement, network attack vector with no user interaction, and a scope-changed impact across confidentiality, integrity, and availability creates the worst-case exploitability profile. Pickle deserialization exploits are extensively documented in the Python security community with abundant tooling, lowering the skill bar for exploitation. AI agent frameworks like smolagents typically run with elevated service account privileges to access APIs, credentials, and infrastructure — amplifying post-exploitation impact well beyond the agent process itself. The 88 downstream dependents extend organizational risk to any system embedding smolagents as a dependency.

How does the attack unfold?

Initial Access
Attacker discovers an internet-exposed or network-accessible smolagents Remote Python Executor endpoint via scanning or OSINT on the target's AI infrastructure.
AML.T0049
Payload Delivery
Attacker crafts a malicious Python pickle payload encoding arbitrary OS commands and submits it to the unauthenticated executor endpoint without any credentials.
AML.T0050
Code Execution
The Remote Python Executor deserializes the untrusted pickle data without validation, triggering execution of embedded commands as the service account.
AML.T0112
Credential Harvest & Pivot
Attacker exfiltrates LLM API keys, cloud credentials, and database connection strings from the agent's environment, then establishes persistence and pivots to downstream systems.
AML.T0072

What systems are affected?

Package Ecosystem Vulnerable Range Patched
smolagents pip <= 1.23.0 No patch
27.9K 93 dependents Pushed 4d ago 25% patched ~10d to patch Full package profile →

Do you use smolagents? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 53% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

6 steps

  1. IMMEDIATE

    Audit all environments for smolagents <= 1.23.0 using 'pip show smolagents' or SBOM/dependency scanning tools.

  2. PATCH

    Upgrade to the latest patched release as soon as available; monitor GHSA-q9r5-6hrr-9ph7 and the smolagents GitHub releases page for the fix.

  3. NETWORK ISOLATION

    If patching is not immediately feasible, place the Remote Python Executor behind a firewall or VPN — eliminate any public-facing exposure entirely.

  4. DETECTION

    Monitor for unexpected outbound connections from the smolagents service process, anomalous child process spawning, and unexpected network traffic patterns indicative of reverse shell activity.

  5. CREDENTIAL ROTATION

    Audit and rotate all API keys and credentials accessible from the smolagents service account as a precautionary measure, particularly LLM API keys and cloud credentials.

  6. SBOM TRACKING

    Add smolagents to software composition analysis pipelines and configure automated alerts for future CVEs in this package.

How is it classified?

Code Execution Supply Chain Agent Framework AML.T0010.001 AML.T0049 AML.T0050 AML.T0072 AML.T0112

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operational requirements
NIST AI RMF
GOVERN 6.2 - Policies and procedures for AI risks and responsibilities MANAGE 2.4 - Residual risks are managed
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-14931?

CVE-2025-14931 is a CVSS 10.0 remote code execution vulnerability in Hugging Face smolagents' Remote Python Executor, where an unauthenticated attacker can send maliciously crafted pickle data over the network to execute arbitrary code as the service account — no credentials, no user interaction required. With 88 downstream dependents and a top-11% EPSS score, any organization running smolagents-based agent pipelines has direct exposure, and service accounts in AI agent deployments typically hold LLM API keys, cloud credentials, and database access that dramatically amplify post-exploitation blast radius. While not yet in CISA KEV and no public exploit is confirmed, the maximum CVSS score and zero-auth network vector put this firmly in tier-1 patch priority territory. Upgrade beyond smolagents 1.23.0 immediately; if no patched release is available yet, isolate the Remote Python Executor behind network controls and restrict access to trusted internal systems only.

Is CVE-2025-14931 actively exploited?

No confirmed active exploitation of CVE-2025-14931 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14931?

1. IMMEDIATE: Audit all environments for smolagents <= 1.23.0 using 'pip show smolagents' or SBOM/dependency scanning tools. 2. PATCH: Upgrade to the latest patched release as soon as available; monitor GHSA-q9r5-6hrr-9ph7 and the smolagents GitHub releases page for the fix. 3. NETWORK ISOLATION: If patching is not immediately feasible, place the Remote Python Executor behind a firewall or VPN — eliminate any public-facing exposure entirely. 4. DETECTION: Monitor for unexpected outbound connections from the smolagents service process, anomalous child process spawning, and unexpected network traffic patterns indicative of reverse shell activity. 5. CREDENTIAL ROTATION: Audit and rotate all API keys and credentials accessible from the smolagents service account as a precautionary measure, particularly LLM API keys and cloud credentials. 6. SBOM TRACKING: Add smolagents to software composition analysis pipelines and configure automated alerts for future CVEs in this package.

What systems are affected by CVE-2025-14931?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-agent systems, Agentic AI pipelines, Remote code execution sandboxes, Hugging Face-based AI deployments.

What is the CVSS score for CVE-2025-14931?

CVE-2025-14931 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.83%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMulti-agent systemsAgentic AI pipelinesRemote code execution sandboxesHugging Face-based AI deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell
AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 6.2, MANAGE 2.4
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28312.

Exploitation Scenario

An adversary scans for internet-exposed smolagents Remote Python Executor endpoints or targets a known deployment via internal network access. Using standard Python pickle exploitation techniques — a malicious pickle payload encoding os.system or subprocess calls is a well-known, one-liner construct — the attacker serializes and sends the payload to the unauthenticated executor endpoint. The service deserializes the pickle object without validation, triggering arbitrary OS command execution as the service account. The attacker establishes a reverse shell, enumerates environment variables for LLM API keys and cloud credentials, and pivots to downstream services the agent had access to. In a multi-agent deployment, the compromised executor can be used to inject malicious data or instructions into other agents sharing the same infrastructure, enabling lateral movement across the AI agent mesh.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
December 23, 2025
Last Modified
May 7, 2026
First Seen
May 7, 2026

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same package: smolagents
CRITICAL CVE-2026-2654 9.8

smolagents: SSRF allows internal network access

Same package: smolagents
MEDIUM CVE-2026-4963 6.3

smolagents: code injection via incomplete sandbox fix

Same package: smolagents
MEDIUM CVE-2025-11844 5.4

smolagents: security flaw enables exploitation

Same package: smolagents
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed