CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-fg23-3346-88f5: Langroid: Path traversal in the file tools allows read/write outside configured current directory

highpublic exploitCVSS 7.1CVE-2026-50181
Summary Langroid's ReadFileTool and WriteFileTool appear to treat curr_dir as the intended working-directory boundary for file operations. However, the tools only change the process working directory to curr_dir and then operate on the user-supplied file_path without resolving and enforcing that the final path remains inside curr_dir. As a result, a tool caller can supply path traversal sequences such as ../secret.txt to read files outside the configured current directory, or ../written_by_tool.txt to write files outside that directory. This can impact applications that expose Langroid file tools to an LLM agent, user-controlled tool call, or delegated coding/documentation agent while relying on curr_dir to restrict file access to a project/workspace directory. Details Affected components: - langroid/agent/tools/file_tools.py - langroid/utils/system.py Relevant behavior observed: ReadFileTool contains a comment indicating the intended assumption: ASSUME: file_path should be relative to the curr_dir The tool then changes into the configured current directory and calls read_file(self.file_path). WriteFileTool similarly resolves curr_dir, changes into that directory, and calls create_file(self.file_path, self.content). The issue is that changing the process working directory does not prevent traversal. A path such as ../secret.txt is still valid and resolves outside the configured curr_dir. In local testing, ReadFileTool successfully read a file outside the configured sandbox directory, and WriteFileTool successfully wrote a file outside the configured sandbox directory. PoC Tested locally against the current Langroid repository checkout. Environment: Python 3.12 Langroid installed in editable mode with pip install -e . PoC script: from pathlib import Path from tempfile import TemporaryDirectory import os os.environ["docker"] = "false" os.environ["DOCKER"] = "false" from langroid.agent.tools.file_tools impo

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 7.1
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-fg23-3346-88f5

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50181coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories