CVE-2025-55178: 
Python vulnerability analysis and mitigation

A vulnerability was identified in Llama Stack, tracked as CVE-2025-55178, affecting versions prior to v0.2.20. The vulnerability involves the resolveastby_type function accepting unverified parameters, which could potentially lead to remote code execution. The issue was discovered and disclosed on September 24, 2025 (NVD).

The vulnerability received a CVSS 3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, as assessed by CISA-ADP. The technical issue stems from the resolveastby_type function's handling of unverified parameters, specifically related to the BFCL scoring function which was later removed as it was not supported (GitHub PR).

The vulnerability could potentially allow attackers to execute remote code on affected systems. The CVSS scoring indicates that while the attack vector is network-accessible (AV:N) with low attack complexity (AC:L), the impact is primarily limited to integrity (I:L) with no direct effects on confidentiality or availability (NVD).

The vulnerability has been addressed in Llama Stack version v0.2.20. Users are advised to upgrade to this version, which removes the unsupported BFCL scoring function and implements various security improvements (GitHub Release).