CVE-2025-64168

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64168

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-64168.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-64168

Aliases

GHSA-vw84-hprm-cxmm

Published

2025-10-31T14:58:54Z

Modified

2025-11-06T05:58:47.260683Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Agno session state overwrites between different sessions/users

Details

Agno is a multi-agent framework, runtime and control plane. From 2.0.0 to before 2.2.2, under high concurrency, when sessionstate is passed to Agent or Team during run or arun calls, a race condition can occur, causing a sessionstate to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user. This has been patched in version 2.2.2.

Database specific

{
    "cwe_ids": [
        "CWE-362",
        "CWE-668"
    ]
}

References

https://github.com/agno-agi/agno/security/advisories/GHSA-vw84-hprm-cxmm

Affected packages

Git / github.com/agno-agi/agno

Affected ranges

Type: GIT
Repo: https://github.com/agno-agi/agno
Events: Introduced

0dc824a49c0778030ad4be725905d20190059602

Fixed

362f3a5742c56d9def40dae4bce5134c630c9751

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.11

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.1

v2.1.10

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1