CVE-2024-55890

CVE-2024-55890 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including samh4cks.

AI-analyzed exploit summary This PoC exploits a command injection vulnerability in D-Tale by uploading a CSV file, enabling custom filters, and executing arbitrary commands via a crafted payload in the filter query parameter. The payload spawns a reverse shell to an attacker-controlled IP.

D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.