CVE-2024-23752
CRITICALPandasAI through 1.5.17 - Unauthenticated Remote Code Execution via GenerateSDFPipeline
Title source: llmDescription
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of this Python code. NOTE: the vendor previously attempted to restrict code execution in response to a separate issue, CVE-2023-39660.
References (1)
Core 1
Core References
Exploit, Mailing List, Vendor Advisory
https://github.com/gventuri/pandas-ai/issues/868
Scores
CVSS v3
9.8
EPSS
0.0080
EPSS Percentile
74.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
gabrieleventuri/pandasai
< 1.5.17
pypi/pandasai
0PyPI
Published
Jan 22, 2024
Tracked Since
Feb 18, 2026