SparshBiswas-AI/CVE-2025-11844-smolagents

# 🔐 Smolagents XPath Injection Simulation Framework (CVE-2025-11844) An educational auditing sandbox and dynamic proof-of-concept scanner demonstrating the XPath Injection vulnerability found within Hugging Face's `smolagents` library (up to version 1.2.0). ## 🔍 Vulnerability Profile | Metric | Details | | :--- | :--- | | **CVE ID** | CVE-2025-11844 | | **Target Component** | `search_item_ctrl_f` function inside `vision_web_browser.py` | | **Vulnerability Type** | Improper Input Validation -> XPath Injection / DOM Breakout | | **Impact Scope** | Local Data Extraction, Information Disclosure, Arbitrary DOM Traversal | ### 🚨 Attack Vector Analysis The target framework uses an un-sanitized string directly inside an internal XPath querying function: //*[contains(text(), 'USER_INPUT_HERE')]

标签：后端开发