CVE-2025-5120: smolagents sandbox escape enables

Q: Is CVE-2025-5120 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-5120, increasing the risk of exploitation.

Q: How to fix CVE-2025-5120?

1. PATCH: Upgrade smolagents to >= 1.17.0 immediately (pip install --upgrade smolagents). 2. VERIFY: Audit requirements.txt, pyproject.toml, and lock files across all repos and deployed environments for pinned vulnerable versions. 3. WORKAROUND (if patching is delayed): Disable LocalPythonInterpreter; use E2B or Docker-based sandboxes with seccomp/AppArmor profiles instead. 4. HARDEN: Run smolagents in a rootless container with read-only filesystem, no network egress, and dropped capabilities (--cap-drop ALL). 5. DETECT: Alert on unexpected subprocess spawns, outbound connections, or file writes from Python interpreter processes. Check for imports of os, subprocess, importlib, ctypes from agent-generated code in logs.

CISO Take

Any deployment of smolagents < 1.17.0 using the Python code executor is fully compromised — CVSS 10, no auth, no user interaction required. Patch to 1.17.0 immediately; until patched, disable the local Python executor or isolate the process in a hardened container with no network egress. This is a complete security boundary failure in a widely-used HuggingFace agent framework.

What is the risk?

Maximum severity (CVSS 10.0, S:C). Network-reachable with zero prerequisites — no credentials, no user interaction, no complexity. The Changed scope flag means successful exploitation pivots beyond the sandboxed process into the host system. Low EPSS (0.003) reflects novelty, not safety; public exploit details are available via huntr. Risk is highest for teams running smolagents in multi-tenant or internet-exposed agentic pipelines where untrusted inputs reach the code executor.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
smolagents	pip	—	No patch
27.9K 93 dependents Pushed 8d ago 25% patched ~10d to patch Full package profile →
smolagents	pip	< 1.17.0	`1.17.0`
27.9K 93 dependents Pushed 8d ago 25% patched ~10d to patch Full package profile →

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

17.7%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 18%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade smolagents to >= 1.17.0 immediately (pip install --upgrade smolagents).
VERIFY

Audit requirements.txt, pyproject.toml, and lock files across all repos and deployed environments for pinned vulnerable versions.
WORKAROUND (if patching is delayed): Disable LocalPythonInterpreter; use E2B or Docker-based sandboxes with seccomp/AppArmor profiles instead.
HARDEN

Run smolagents in a rootless container with read-only filesystem, no network egress, and dropped capabilities (--cap-drop ALL).
DETECT

Alert on unexpected subprocess spawns, outbound connections, or file writes from Python interpreter processes. Check for imports of os, subprocess, importlib, ctypes from agent-generated code in logs.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Leakage Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

8.4 - AI system technical security controls

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain treatment of AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-5120?

Any deployment of smolagents < 1.17.0 using the Python code executor is fully compromised — CVSS 10, no auth, no user interaction required. Patch to 1.17.0 immediately; until patched, disable the local Python executor or isolate the process in a hardened container with no network egress. This is a complete security boundary failure in a widely-used HuggingFace agent framework.

Is CVE-2025-5120 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-5120, increasing the risk of exploitation.

How to fix CVE-2025-5120?

1. PATCH: Upgrade smolagents to >= 1.17.0 immediately (pip install --upgrade smolagents). 2. VERIFY: Audit requirements.txt, pyproject.toml, and lock files across all repos and deployed environments for pinned vulnerable versions. 3. WORKAROUND (if patching is delayed): Disable LocalPythonInterpreter; use E2B or Docker-based sandboxes with seccomp/AppArmor profiles instead. 4. HARDEN: Run smolagents in a rootless container with read-only filesystem, no network egress, and dropped capabilities (--cap-drop ALL). 5. DETECT: Alert on unexpected subprocess spawns, outbound connections, or file writes from Python interpreter processes. Check for imports of os, subprocess, importlib, ctypes from agent-generated code in logs.

What systems are affected by CVE-2025-5120?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, code execution sandboxes, multi-agent systems, AI coding assistants, model serving.

What is the CVSS score for CVE-2025-5120?

CVE-2025-5120 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 17.65%.

What is the AI security impact?

Affected AI Architectures

agent frameworkscode execution sandboxesmulti-agent systemsAI coding assistantsmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM03:2025, LLM05:2025

What are the technical details?

Original Advisory

A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_python_executor.py module, which inadequately restricts Python code execution despite employing static and dynamic checks. Attackers can exploit whitelisted modules and functions to execute arbitrary code, compromising the host system. This flaw undermines the core security boundary intended to isolate untrusted code, posing risks such as unauthorized code execution, data leakage, and potential integration-level compromise. The issue is resolved in version 1.17.0.

Exploitation Scenario

An adversary sends a crafted task to a smolagents-powered coding assistant or autonomous agent exposed via API. The agent routes the task to LocalPythonInterpreter, which applies static/dynamic whitelisting checks. The attacker uses a whitelisted module (e.g., importlib, builtins manipulation, or a permitted stdlib function) as a pivot to re-import restricted modules or invoke os.system/subprocess. Once code executes outside the sandbox, the attacker establishes a reverse shell (AML.T0072), dumps environment variables for API keys and cloud credentials, and pivots to connected services — model registries, vector databases, or upstream CI/CD pipelines. In multi-tenant SaaS deployments, this leads to cross-tenant data exfiltration.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.