The vulnerability identified as CVE-2025-11844 affects Hugging Face's Smolagents, an AI-driven web automation tool, specifically version 1.20.0. The flaw exists in the search_item_ctrl_f function within the src/smolagents/vision_web_browser.py file, where user input is directly concatenated into an XPath expression without proper sanitization or escaping. This improper neutralization of data (CWE-643) enables an attacker to inject malicious XPath syntax, altering the intended query logic. Such injection can bypass intended search filters, granting access to DOM elements that should be restricted, and potentially disrupt the automated workflows that rely on these queries. The impact includes limited information disclosure, manipulation of AI agent interactions, and compromised reliability of automated web tasks. The vulnerability is remotely exploitable over the network without requiring authentication but does require user interaction, such as triggering the vulnerable search function. The CVSS 3.0 base score is 5.4, indicating medium severity, reflecting the limited confidentiality and integrity impact and no availability impact. No known exploits are reported in the wild as of the publication date. The issue is fixed in Smolagents version 1.22.0, where proper input sanitization and escaping have been implemented to prevent XPath injection.

For European organizations leveraging Hugging Face's Smolagents for AI-driven web automation, this vulnerability poses risks primarily to the confidentiality and integrity of automated processes. Attackers exploiting the XPath injection can bypass search filters, potentially exposing sensitive DOM elements or data not intended for access. This could lead to partial information disclosure, manipulation of AI agent behavior, and disruption of automated workflows critical for business operations. While the vulnerability does not directly impact system availability, compromised automation reliability can cause operational inefficiencies or erroneous decision-making. Organizations in sectors relying heavily on AI automation for data processing, such as finance, healthcare, or research, may experience amplified impacts. Given the medium severity and requirement for user interaction, the threat level is moderate but warrants timely remediation to prevent exploitation, especially in environments where Smolagents are integrated into critical workflows.

European organizations should upgrade Hugging Face Smolagents to version 1.22.0 or later, where the XPath injection vulnerability is patched. Until upgrading is feasible, implement input validation and sanitization at the application layer to ensure user-supplied data does not contain malicious XPath syntax. Employ web application firewalls (WAFs) capable of detecting and blocking XPath injection patterns. Restrict access to the vulnerable search functionality to trusted users or networks to reduce exposure. Conduct thorough code reviews and security testing on any custom extensions or integrations involving XPath queries. Monitor logs for unusual query patterns or errors indicative of injection attempts. Educate users about the risks of interacting with untrusted inputs in automated workflows. Finally, maintain an inventory of systems using Smolagents to ensure all instances are identified and patched promptly.