PyPI: pandasai
CVE-2024-23752
Safety vulnerability ID: SFTY-20240122-61341
Safety legacy ID: pyup.io-64460
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660. See CVE-2024-23752.
Overview
Code execution in pandasai
Advisory
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660. See CVE-2024-23752.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240122-61341/CVE-2024-23752
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23752
- https://github.com/gventuri/pandas-ai/issues/868
- https://nvd.nist.gov/vuln/detail/CVE-2024-23752
- https://github.com/gventuri/pandas-ai/issues/868
- https://github.com/advisories/GHSA-5g73-69p4-7gvx
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more