PyPI: pandasai
CVE-2023-39660
Safety vulnerability ID: SFTY-20230821-93947
Safety legacy ID: pyup.io-65037
An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function.
Overview
pandasai vulnerable to prompt injection
Advisory
An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function.
How to Fix
Upgrade
pandasai
to0.8.1
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20230821-93947/CVE-2023-39660
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39660
- https://github.com/gventuri/pandas-ai/issues/399
- https://github.com/gventuri/pandas-ai/pull/409
- https://nvd.nist.gov/vuln/detail/CVE-2023-39660
- https://github.com/gventuri/pandas-ai/issues/399
- https://github.com/gventuri/pandas-ai/pull/409
- https://github.com/gventuri/pandas-ai/commit/3aac79be8fc1d18b53d66a566adddbbdd2b38ad5
- https://github.com/advisories/GHSA-w832-v3c6-m6rg
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more