Critical severityOSV Advisory· Published Mar 20, 2025· Updated Apr 15, 2025
CVE-2025-0655
CVE-2025-0655
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dtalePyPI | < 3.17.0 | 3.17.0 |
Affected products
1Patches
11e26ed3ca12fhttps://github.com/man-group/dtale/issues/894: updates to 'update-settings' endpoint
2 files changed · +22 −0
dtale/views.py+7 −0 modified@@ -1625,6 +1625,13 @@ def update_settings(data_id): """ updated_settings = get_json_arg(request, "settings", {}) + + # block users from manually updating 'enable_custom_filters' + if "enable_custom_filters" in updated_settings: + raise ValueError( + "Cannot alter the property 'enable_custom_filters' from this endpoint" + ) + if not global_state.load_flag(data_id, "enable_custom_filters", False): updated_settings.pop("query", None)
tests/dtale/test_views.py+15 −0 modified@@ -585,6 +585,21 @@ def test_update_settings(test_data, unittest): response_data = response.get_json() assert "error" in response_data + settings = json.dumps(dict(enable_custom_filters=True)) + with app.test_client() as c: + with ExitStack() as stack: + global_state.set_data(c.port, None) + response = c.get( + "/dtale/update-settings/{}".format(c.port), + query_string=dict(settings=settings), + ) + assert response.status_code == 200, "should return 200 response" + response_data = response.get_json() + assert ( + response_data["error"] + == "Cannot alter the property 'enable_custom_filters' from this endpoint" + ) + @pytest.mark.unit def test_update_formats():
Vulnerability mechanics
Not enough inputs (no patches or CWE) to synthesize mechanics for this CVE.
References
4News mentions
0No linked articles in our index yet.