GHSA-vw84-hprm-cxmm

Source

https://github.com/advisories/GHSA-vw84-hprm-cxmm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vw84-hprm-cxmm/GHSA-vw84-hprm-cxmm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vw84-hprm-cxmm

Aliases

CVE-2025-64168

Published

2025-10-31T21:24:53Z

Modified

2025-10-31T22:12:46.704033Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Agno session state overwrites between different sessions/users

Details

Impact

Under certain conditions (under high concurrency), when session_state is passed to an Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user.

Patches

This has been patched in version 2.2.2. Upgrade with pip install -U agno.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-31T21:24:53Z",
    "nvd_published_at": "2025-10-31T15:15:43Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-362",
        "CWE-668"
    ]
}

References

Affected packages

PyPI / agno

Package

Name: agno; View open source insights on deps.dev
Purl: pkg:pypi/agno

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.2.2

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.2.0

2.2.1