SecuriTricks - CVE-2025-64168

Description

Agno is a multi-agent framework, runtime and control plane. From 2.0.0 to before 2.2.2, under high concurrency, when session_state is passed to Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user. This has been patched in version 2.2.2.

Product(s) Impacted

Vendor	Product	Versions
Agno	Framework	2.0.0-2.2.1, <2.2.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	agno	framework	2.0.0-2.2.1	/	/	/	/	/	/	/
a	agno	framework	<2.2.2	/	/	/	/	/	/	/

References

https://github.com/agno-agi/agno/security/advisories/GHSA-vw84-hprm-cxmm

CVSS Score

7.1 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

View Vector String

Timeline

Published: Oct. 31, 2025, 3:15 p.m.
Last Modified: Oct. 31, 2025, 3:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-64168