banks is vulnerable to Unsafe Reflection
60
Medium Risk
The completion extension resolves tool callables by reading each tool's import_path and loading it dynamically with importlib.import_module and getattr. Tool definitions are parsed from the rendered completion body, so an import_path influenced by untrusted prompt or tool data can point to arbitrary modules and functions such as os.system. When the model issues a matching tool call, the resolved callable is invoked with model-supplied arguments, enabling arbitrary code execution on the host. The fix removes the dynamic importlib lookup, resolves tools only from an explicit allowlisted callable registry populated by the tool filter, and stops sending import_path to the model.
You are affected if you are using a version that falls within the vulnerable range and your application uses the {% completion %} function-calling feature with tool definitions that can be influenced by untrusted input.
banks is vulnerable to Unsafe Reflection in versions 1.4.0 - 2.4.2.
Upgrade the banks library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant