CVE-2025-11844 identifies an XPath injection vulnerability in the Hugging Face Smolagents software, version 1.20.0, within the function search_item_ctrl_f located in src/smolagents/vision_web_browser.py. The vulnerability stems from the direct concatenation of user-supplied input into XPath expressions without proper sanitization or escaping, classified under CWE-643 (Improper Neutralization of Data within XPath Expressions). This flaw allows an attacker to inject malicious XPath syntax, altering the intended query logic. Such manipulation can bypass search filters, access DOM elements not intended for retrieval, and disrupt automated web browsing or AI agent workflows that rely on these XPath queries. The impact includes potential information disclosure, manipulation of AI agent behavior, and compromised reliability of automated tasks. The vulnerability does not require authentication but does require user interaction to trigger the injection. The CVSS 3.0 score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, and user interaction needed. The issue has been addressed in version 1.22.0 of Smolagents, though no public exploits have been reported to date.

For European organizations, the impact of this vulnerability can be significant, especially for those leveraging Hugging Face Smolagents in AI-driven automation, web scraping, or data extraction tasks. Exploitation could lead to unauthorized access to sensitive data embedded in web pages or automation workflows, potentially exposing confidential information. Manipulation of AI agent interactions could degrade the integrity and reliability of automated processes, affecting business operations that depend on accurate data retrieval and processing. While the vulnerability does not directly cause system downtime, disruption of automated workflows can lead to operational inefficiencies and increased risk of erroneous decision-making. Organizations in sectors such as finance, healthcare, research, and technology that utilize AI automation tools are particularly at risk. The medium severity score indicates a moderate risk that should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

To mitigate this vulnerability, European organizations should immediately upgrade Hugging Face Smolagents to version 1.22.0 or later, where the issue is fixed. In addition to patching, developers should implement strict input validation and sanitization routines for any user-supplied data incorporated into XPath queries, employing parameterized XPath queries or safe XPath libraries that prevent injection. Conduct thorough code reviews focusing on XPath query construction and test for injection vectors. Employ runtime monitoring to detect anomalous XPath query patterns that may indicate exploitation attempts. For organizations integrating Smolagents into larger systems, isolate the component to limit potential impact and apply the principle of least privilege to reduce data exposure. Finally, maintain an updated inventory of affected software versions and ensure rapid deployment of security updates.