VYPR
← All advisories
High severityNVD Advisory· Published Aug 21, 2023· Updated Oct 7, 2024

CVE-2023-39660

CVE-2023-39660

Description

CVE-2023-39660 is a prompt injection vulnerability in PandasAI ≤0.8.0 that allows remote attackers to execute arbitrary code by crafting a malicious prompt.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-39660 is a prompt injection vulnerability in PandasAI ≤0.8.0 that allows remote attackers to execute arbitrary code by crafting a malicious prompt.

Vulnerability

Description

CVE-2023-39660 is a security flaw in Gaberiele Venturi's PandasAI (also known as pandas-ai) version 0.8.0 and earlier. The root cause is that the application processes user prompts and translates them into Python code that is then executed. While some basic security checks exist, they can be bypassed by prompt injection. The researcher who reported the issue demonstrated a bypass using a carefully crafted prompt that leads to arbitrary code execution [1][4].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the prompt function of PandasAI. No authentication is required if the application exposes this functionality directly. The attacker's prompt includes a jailbreak component that instructs the language model to ignore prior restrictions and return code that accesses Python's base class hierarchy. Once the generated code is eval'd or exec'd by PandasAI, the attacker can invoke arbitrary system commands [4]. The official fix was merged in pull request #409, which added more robust input sanitization and restrictions on which code patterns are allowed [1].

Impact

Successful exploitation gives the attacker full remote code execution on the server running PandasAI. This can lead to data exfiltration, lateral movement, or complete compromise of the host. Since PandasAI is often used to let users query data files or databases in natural language, an exposed instance is a high-value target [2][4].

Mitigation

Users should upgrade to a patched version of pandas-ai beyond 0.8.0. The fix is in pull request #409, which was merged into the main branch. As of the publication date, no workaround is available for unpatched versions; restricting network access and applying strict input validation can reduce risk but do not fully eliminate it. The CVE is listed on the National Vulnerability Database [3] and should be prioritized for patching.

References
  1. fix: bypass the security check with prompt injection (#399) by gventuri · Pull Request #409 · sinaptik-ai/pandas-ai
  2. GitHub - sinaptik-ai/pandas-ai: Chat with your database or your datalake (SQL, CSV, parquet). PandasAI makes data analysis conversational using LLMs and RAG.
  3. NVD - CVE-2023-39660
  4. Bypass the security check, RCE again with prompt injection.

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pandasaiPyPI
< 0.8.10.8.1

Affected products

2

Patches

1
3aac79be8fc1

fix: bypass the security check with prompt injection (#399) (#409)

https://github.com/gventuri/pandas-aiGabriele VenturiJul 28, 2023via ghsa
commit
2 files changed · +28 1
  • pandasai/__init__.py+19 1 modified
    @@ -586,6 +586,24 @@ def _is_df_overwrite(self, node: ast.stmt) -> bool:
             and re.match(r"df\d{0,2}$", node.targets[0].id)
         )
 
+    def _is_jailbreak(self, node: ast.stmt) -> bool:
+        """
+        Remove jailbreaks from the code to prevent malicious code execution.
+
+        Args:
+            node (object): ast.stmt
+
+        Returns (bool):
+        """
+
+        DANGEROUS_BUILTINS = ["__subclasses__", "__builtins__", "__import__"]
+
+        for child in ast.walk(node):
+            if isinstance(child, ast.Name) and child.id in DANGEROUS_BUILTINS:
+                return True
+
+        return False
+
     def _clean_code(self, code: str) -> str:
         """
         A method to clean the code to prevent malicious code execution
@@ -608,7 +626,7 @@ def _clean_code(self, code: str) -> str:
             if isinstance(node, (ast.Import, ast.ImportFrom)):
                 self._check_imports(node)
                 continue
-            if self._is_df_overwrite(node):
+            if self._is_df_overwrite(node) or self._is_jailbreak(node):
                 continue
             new_body.append(node)
  • tests/test_pandasai.py+9 0 modified
    @@ -327,6 +327,15 @@ def test_clean_code_remove_builtins(self, pandasai):
         assert pandasai.run_code(builtins_code, pd.DataFrame()) == {1, 2, 3}
         assert pandasai.last_code_executed == "print(set([1, 2, 3]))"
 
+    def test_clean_code_removes_jailbreak_code(self, pandasai):
+        malicious_code = """
+__builtins__['str'].__class__.__mro__[-1].__subclasses__()[140].__init__.__globals__['system']('ls')
+print(df)
+"""
+        pandasai._llm._output = malicious_code
+        pandasai.run_code(malicious_code, pd.DataFrame())
+        assert pandasai.last_code_executed == "print(df)"
+
     def test_clean_code_remove_environment_defaults(self, pandasai):
         pandas_code = """
 import pandas as pd

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.