CVE-2025-5120 — CRITICAL (CVSS 10.0) AI Security Vulnerability

Q: Is CVE-2025-5120 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-5120, increasing the risk of exploitation.

Q: How to fix CVE-2025-5120?

1. PATCH: Upgrade smolagents to >= 1.17.0 immediately (pip install --upgrade smolagents). 2. VERIFY: Audit requirements.txt, pyproject.toml, and lock files across all repos and deployed environments for pinned vulnerable versions. 3. WORKAROUND (if patching is delayed): Disable LocalPythonInterpreter; use E2B or Docker-based sandboxes with seccomp/AppArmor profiles instead. 4. HARDEN: Run smolagents in a rootless container with read-only filesystem, no network egress, and dropped capabilities (--cap-drop ALL). 5. DETECT: Alert on unexpected subprocess spawns, outbound connections, or file writes from Python interpreter processes. Check for imports of os, subprocess, importlib, ctypes from agent-generated code in logs.

CISO Take

Any deployment of smolagents < 1.17.0 using the Python code executor is fully compromised — CVSS 10, no auth, no user interaction required. Patch to 1.17.0 immediately; until patched, disable the local Python executor or isolate the process in a hardened container with no network egress. This is a complete security boundary failure in a widely-used HuggingFace agent framework.

Risk Assessment

Maximum severity (CVSS 10.0, S:C). Network-reachable with zero prerequisites — no credentials, no user interaction, no complexity. The Changed scope flag means successful exploitation pivots beyond the sandboxed process into the host system. Low EPSS (0.003) reflects novelty, not safety; public exploit details are available via huntr. Risk is highest for teams running smolagents in multi-tenant or internet-exposed agentic pipelines where untrusted inputs reach the code executor.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
smolagents	pip	—	No patch
27.2K 88 dependents Pushed 16d ago 25% patched ~10d to patch Full package profile →
smolagents	pip	< 1.17.0	`1.17.0`
27.2K 88 dependents Pushed 16d ago 25% patched ~10d to patch Full package profile →

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 61% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade smolagents to >= 1.17.0 immediately (pip install --upgrade smolagents).
VERIFY

Audit requirements.txt, pyproject.toml, and lock files across all repos and deployed environments for pinned vulnerable versions.
WORKAROUND (if patching is delayed): Disable LocalPythonInterpreter; use E2B or Docker-based sandboxes with seccomp/AppArmor profiles instead.
HARDEN

Run smolagents in a rootless container with read-only filesystem, no network egress, and dropped capabilities (--cap-drop ALL).
DETECT

Alert on unexpected subprocess spawns, outbound connections, or file writes from Python interpreter processes. Check for imports of os, subprocess, importlib, ctypes from agent-generated code in logs.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Leakage Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

8.4 - AI system technical security controls

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain treatment of AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-5120?

Any deployment of smolagents < 1.17.0 using the Python code executor is fully compromised — CVSS 10, no auth, no user interaction required. Patch to 1.17.0 immediately; until patched, disable the local Python executor or isolate the process in a hardened container with no network egress. This is a complete security boundary failure in a widely-used HuggingFace agent framework.

Is CVE-2025-5120 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-5120, increasing the risk of exploitation.

How to fix CVE-2025-5120?

1. PATCH: Upgrade smolagents to >= 1.17.0 immediately (pip install --upgrade smolagents). 2. VERIFY: Audit requirements.txt, pyproject.toml, and lock files across all repos and deployed environments for pinned vulnerable versions. 3. WORKAROUND (if patching is delayed): Disable LocalPythonInterpreter; use E2B or Docker-based sandboxes with seccomp/AppArmor profiles instead. 4. HARDEN: Run smolagents in a rootless container with read-only filesystem, no network egress, and dropped capabilities (--cap-drop ALL). 5. DETECT: Alert on unexpected subprocess spawns, outbound connections, or file writes from Python interpreter processes. Check for imports of os, subprocess, importlib, ctypes from agent-generated code in logs.

What systems are affected by CVE-2025-5120?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, code execution sandboxes, multi-agent systems, AI coding assistants, model serving.

What is the CVSS score for CVE-2025-5120?

CVE-2025-5120 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.40%.

Technical Details

NVD Description

A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_python_executor.py module, which inadequately restricts Python code execution despite employing static and dynamic checks. Attackers can exploit whitelisted modules and functions to execute arbitrary code, compromising the host system. This flaw undermines the core security boundary intended to isolate untrusted code, posing risks such as unauthorized code execution, data leakage, and potential integration-level compromise. The issue is resolved in version 1.17.0.

Exploitation Scenario

An adversary sends a crafted task to a smolagents-powered coding assistant or autonomous agent exposed via API. The agent routes the task to LocalPythonInterpreter, which applies static/dynamic whitelisting checks. The attacker uses a whitelisted module (e.g., importlib, builtins manipulation, or a permitted stdlib function) as a pivot to re-import restricted modules or invoke os.system/subprocess. Once code executes outside the sandbox, the attacker establishes a reverse shell (AML.T0072), dumps environment variables for API keys and cloud credentials, and pivots to connected services — model registries, vector databases, or upstream CI/CD pipelines. In multi-tenant SaaS deployments, this leads to cross-tenant data exfiltration.