Listen to this Post
The CVE-2025-XXXXX vulnerability exists within the `search_item_ctrl_f` function of the Smolagents library. This function is designed to locate items on a web page by constructing an XPath query for a Document Object Model (DOM) parser. The function takes a user-supplied search string and directly interpolates it into an XPath expression string using f-string formatting in Python. Since the user input is not sanitized or escaped, an attacker can provide a string containing special XPath characters and operators, such as single quotes, brackets, or the `|` operator for union. When this malicious input is incorporated into the query, it alters the structure and logic of the XPath expression. This allows the attacker to break out of the intended search context, modify the query’s path, and potentially access sensitive DOM nodes that should be restricted. The injected XPath can bypass intended filters, retrieve hidden data, or cause the function to return an incorrect or manipulated set of elements, thereby compromising the integrity and security of the web automation agent’s decision-making process.
Platform: Hugging Face Smolagents
Version: 1.20.0
Vulnerability: XPath Injection
Severity: Moderate
date: Oct 22, 2025
Prediction: Patch expected Oct 29, 2025
What Undercode Say:
pip list | grep smolagents python -c "from src.smolagents.vision_web_browser import search_item_ctrl_f; help(search_item_ctrl_f)"
Vulnerable Code Snippet (simplified)
def search_item_ctrl_f(self, search_string: str):
xpath_query = f"//[contains(., '{search_string}')]"
return self.dom_tree.xpath(xpath_query)
Proof-of-Concept Exploit Input
malicious_search = "')] | //[@password] | //[contains(., '"
How Exploit:
Attacker-controlled input manipulates XPath query logic to access unauthorized DOM nodes, bypass filters, and extract sensitive data from the parsed web page structure during the agent’s automation task.
Protection from this CVE
Upgrade Smolagents to version 1.22.0. Implement input sanitization for XPath queries, using parameterized queries or escaping mechanisms to neutralize control characters in user input before string interpolation.
Impact:
Information disclosure, manipulation of AI agent interactions, disruption of web automation workflows, and potential compromise of automated task reliability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
