Exploitation Summary
CVE-2024-3408 has been observed exploited in the wild (reported by VulnCheck KEV).
EIP tracks 2 public exploits from researchers including flame-11, taiphung217, Takahiro Yokoyama, including a Metasploit module exploits/linux/http/dtale_rce_cve_2025_0655.
A Nuclei detection template is also available.
AI-analyzed exploit summary This repository provides a functional exploit for CVE-2024-3408, demonstrating an authentication bypass and remote code execution (RCE) in D-Tale versions up to 3.15.1. The exploit leverages a hardcoded SECRET_KEY for session forgery and abuses the pandas query injection in the test-filter endpoint to execute arbitrary commands.
Description
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
Exploits (2)
This repository provides a functional exploit for CVE-2024-3408, demonstrating an authentication bypass and remote code execution (RCE) in D-Tale versions up to 3.15.1. The exploit leverages a hardcoded SECRET_KEY for session forgery and abuses the pandas query injection in the test-filter endpoint to execute arbitrary commands.
This Metasploit module exploits CVE-2024-3408 in D-Tale by bypassing authentication via JWT manipulation, enabling custom filters, and executing arbitrary commands through the /test-filter endpoint.
Nuclei Templates (1)
title:"D-Tale"
title="D-Tale"
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H