CVE-2024-55890
Description
D-Tale versions prior to 3.16.1 allow remote code execution via the update-settings endpoint, enabling attackers to run arbitrary code on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Tale versions prior to 3.16.1 allow remote code execution via the update-settings endpoint, enabling attackers to run arbitrary code on the server.
Vulnerability
CVE-2024-55890 is a high-severity remote code execution (RCE) vulnerability in D-Tale, a visualizer for pandas data structures. The root cause is that the update-settings endpoint in versions prior to 3.16.1 does not properly restrict the enable_custom_filters flag. Attackers can leverage this to inject malicious code, leading to arbitrary code execution on the host server [1].
Exploitation
Exploitation requires network access to the D-Tale server, but no authentication is mentioned in the description. The update-settings endpoint is used to manipulate configuration settings, and by altering the enable_custom_filters flag, an attacker can enable custom filter functionality that allows the execution of arbitrary Python code [1].
Impact
Successful exploitation gives the attacker the ability to run arbitrary code on the server with the privileges of the D-Tale process. This can lead to complete compromise of the server, including data exfiltration, installation of backdoors, or lateral movement within the network [1].
Mitigation
The vulnerability is fixed in D-Tale version 3.16.1, which blocks the update-settings endpoint from updating the enable_custom_filters flag. Users are advised to upgrade immediately. For those running older versions, the only workaround is to restrict access to trusted users only, as no other mitigations are available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dtalePyPI | < 3.16.1 | 3.16.1 |
Affected products
2Patches
11e26ed3ca12fhttps://github.com/man-group/dtale/issues/894: updates to 'update-settings' endpoint
2 files changed · +22 −0
dtale/views.py+7 −0 modified@@ -1625,6 +1625,13 @@ def update_settings(data_id): """ updated_settings = get_json_arg(request, "settings", {}) + + # block users from manually updating 'enable_custom_filters' + if "enable_custom_filters" in updated_settings: + raise ValueError( + "Cannot alter the property 'enable_custom_filters' from this endpoint" + ) + if not global_state.load_flag(data_id, "enable_custom_filters", False): updated_settings.pop("query", None)
tests/dtale/test_views.py+15 −0 modified@@ -585,6 +585,21 @@ def test_update_settings(test_data, unittest): response_data = response.get_json() assert "error" in response_data + settings = json.dumps(dict(enable_custom_filters=True)) + with app.test_client() as c: + with ExitStack() as stack: + global_state.set_data(c.port, None) + response = c.get( + "/dtale/update-settings/{}".format(c.port), + query_string=dict(settings=settings), + ) + assert response.status_code == 200, "should return 200 response" + response_data = response.get_json() + assert ( + response_data["error"] + == "Cannot alter the property 'enable_custom_filters' from this endpoint" + ) + @pytest.mark.unit def test_update_formats():
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.