D-Tale allows Remote Code Execution through the Query input on Chart Builder
Description
D-Tale's Custom Filter feature allows remote code execution when hosted publicly; fixed in version 3.14.1 by disabling the feature by default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Tale's Custom Filter feature allows remote code execution when hosted publicly; fixed in version 3.14.1 by disabling the feature by default.
Vulnerability
Overview
CVE-2024-45595 is a remote code execution vulnerability in D-Tale, a web-based visualizer for Pandas data structures [1]. The root cause lies in the "Custom Filter" input, which is used to apply user-supplied queries to data in charts and other views. The input is passed unsanitized to a function that evaluates it, allowing arbitrary Python code to be executed on the server [2][4].
Exploitation
Conditions
An attacker can exploit this vulnerability by sending a crafted request to a publicly accessible D-Tale instance. No authentication is required, as the custom filter input is available to any user who can reach the web interface. The attack surface is the chart query endpoint, where the query parameter is processed without proper validation [4].
Impact
Successful exploitation grants the attacker remote code execution on the server hosting D-Tale. This can lead to full compromise of the application and underlying system, including data exfiltration, lateral movement, or further attacks [3].
Mitigation
The vulnerability is fixed in D-Tale version 3.14.1, where the custom filter feature is turned off by default [3]. Users are strongly advised to upgrade immediately. The commit [4] shows the addition of a flag enable_custom_filters that must be explicitly enabled, preventing the unsafe behavior in default configurations.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dtalePyPI | < 3.14.1 | 3.14.1 |
Affected products
2Patches
1b6e309693905Added check for custom filtering before using custom queries in charts
3 files changed · +30 −21
dtale/dash_application/layout/layout.py+24 −20 modified@@ -1709,27 +1709,31 @@ def show_map_style(show): ), className="row pt-3 pb-3 charts-filters", ), - html.Div( + ( html.Div( - [ - html.Div( - [ - query_label, - dcc.Input( - id="query-input", - type="text", - placeholder=query_placeholder, - className="form-control", - value=query_value, - style={"lineHeight": "inherit"}, - ), - ], - className="input-group mr-3", - ) - ], - className="col", - ), - className="row pt-3 pb-3 charts-filters", + html.Div( + [ + html.Div( + [ + query_label, + dcc.Input( + id="query-input", + type="text", + placeholder=query_placeholder, + className="form-control", + value=query_value, + style={"lineHeight": "inherit"}, + ), + ], + className="input-group mr-3", + ) + ], + className="col", + ), + className="row pt-3 pb-3 charts-filters", + ) + if global_state.load_flag(inputs["data_id"], "enable_custom_filters", False) + else None ), html.Div( html.Div(
dtale/views.py+4 −1 modified@@ -3380,9 +3380,12 @@ def get_chart_data(data_id): max: maxY, } or {error: 'Exception message', traceback: 'Exception stacktrace'} """ + custom_query = None + if global_state.load_flag(data_id, "enable_custom_filters", False): + custom_query = get_str_arg(request, "query") data = run_query( handle_predefined(data_id), - build_query(data_id, get_str_arg(request, "query")), + build_query(data_id, custom_query), global_state.get_context_variables(data_id), ) x = get_str_arg(request, "x")
tests/dtale/test_views.py+2 −0 modified@@ -1975,6 +1975,7 @@ def test_get_chart_data(unittest, rolling_data): with app.test_client() as c: build_data_inst({c.port: test_data}) + global_state.set_app_settings(dict(enable_custom_filters=True)) response = c.get( "/dtale/chart-data/{}".format(c.port), query_string=dict(query="missing_col == 'blah'"), @@ -1997,6 +1998,7 @@ def test_get_chart_data(unittest, rolling_data): response_data["error"], 'query "security_id == 51" found no data, please alter', ) + global_state.set_app_settings(dict(enable_custom_filters=False)) df = pd.DataFrame([dict(a=i, b=np.nan) for i in range(100)]) df, _ = views.format_data(df)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-pw44-4h99-wqffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45595ghsaADVISORY
- github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8ghsax_refsource_MISCWEB
- github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqffghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.