Plateforme
python
Composant
pandasai
Corrigé dans
2.4.1
2.4.3
CVE-2024-12366 describes a Remote Code Execution (RCE) vulnerability within pandasai, a Python library designed to enhance pandas with natural language processing capabilities. This flaw arises from insufficient security controls in the interactive prompt function, allowing attackers to inject malicious prompts and execute arbitrary Python code. Versions of pandasai up to and including 2.4.2 are affected; a fix is available in version 2.4.1.
The impact of CVE-2024-12366 is severe. An attacker can leverage prompt injection to bypass security measures and execute arbitrary Python code within the pandasai environment. This could lead to complete system compromise, allowing the attacker to steal sensitive data, install malware, or pivot to other connected systems. The ability to execute arbitrary code effectively grants the attacker full control over the affected system. This vulnerability shares similarities with other prompt injection attacks targeting large language model integrations, highlighting the importance of robust input validation and security controls.
CVE-2024-12366 was publicly disclosed on 2025-02-11. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge given the ease of prompt injection exploitation. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Active campaigns targeting pandasai are not yet confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Organizations and developers using pandasai in production environments, particularly those integrating it with sensitive data or critical systems, are at significant risk. Those relying on pandasai for automated data analysis or report generation are especially vulnerable, as they may not be actively monitoring prompts for malicious content. Users with limited security expertise or those who have not implemented robust input validation practices are also at higher risk.
• python / supply-chain:
import pandas as pd
import pandasai
# Check pandasai version
print(pandasai.__version__)
# Attempt to detect malicious code execution by injecting a simple prompt
# (This is a simplified example and may require more sophisticated techniques)
# pandasai.with_chat_session().run('print("Malicious code executed")')• generic web: Check for unusual process activity related to pandasai. Monitor system logs for unexpected Python script executions. • generic web: Review pandasai configuration files for any suspicious modifications or injected code.
disclosure
Statut de l'Exploit
EPSS
5.90% (percentile 91%)
Vecteur CVSS
The primary mitigation for CVE-2024-12366 is to upgrade pandasai to version 2.4.1 or later. This version includes fixes to properly validate and sanitize user inputs, preventing malicious code execution. If upgrading is not immediately feasible, consider implementing strict input validation and sanitization on all prompts passed to pandasai. While not a complete solution, this can reduce the attack surface. Review and restrict the permissions granted to the pandasai process to limit the potential damage from a successful exploit. After upgrading, verify the fix by attempting to inject a simple, known malicious prompt and confirming that it is properly rejected.
Actualice la biblioteca PandasAI a una versión posterior a la 2.4.0 que corrija la vulnerabilidad de inyección de código. Consulte las notas de la versión y las actualizaciones de seguridad proporcionadas por Sinaptik AI para obtener instrucciones específicas sobre la actualización y las mitigaciones adicionales.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-12366 is a critical Remote Code Execution vulnerability in pandasai versions up to 2.4.2. Attackers can inject malicious prompts to execute arbitrary Python code, potentially compromising the entire system.
If you are using pandasai version 2.4.2 or earlier, you are vulnerable to this RCE vulnerability. Carefully assess your environment and upgrade as soon as possible.
Upgrade pandasai to version 2.4.1 or later. This version includes the necessary security fixes to prevent prompt injection attacks. Implement input validation as a temporary workaround if immediate upgrade is not possible.
While no active campaigns have been confirmed, the vulnerability's critical severity and ease of exploitation suggest it is a potential target. Continuous monitoring is recommended.
Refer to the pandasai project's official security advisories and release notes for detailed information and updates regarding CVE-2024-12366. Check the pandasai GitHub repository and documentation.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.