Critical severityNVD Advisory· Published Mar 10, 2025· Updated Oct 3, 2025
Remote Code Execution in PlotAI
CVE-2025-1497
Description
A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
plotaiPyPI | < 0.0.7 | 0.0.7 |
Affected products
1Patches
1bdcfb13484f0comment out exec() method because of securith issues
1 file changed · +6 −1
plotai/code/executor.py+6 −1 modified@@ -12,7 +12,12 @@ def run(self, code, globals_env=None, locals_env=None): if not line.startswith("```"): tmp_code += line + "\n" - exec(tmp_code, globals_env, locals_env) + # please be aware of security issue with exec functions + # LLM can execute arbitrary code + # if you are aware of security issues, please uncomment below line + + # exec(tmp_code, globals_env, locals_env) + except Exception as e: return str(e) return None \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/mljar/plotai/commit/bdcfb13484f0b85703a4c1ddfd71cb21840e7fdeghsapatchWEB
- cert.pl/en/posts/2025/03/CVE-2025-1497ghsathird-party-advisoryWEB
- cert.pl/posts/2025/03/CVE-2025-1497ghsathird-party-advisoryWEB
- github.com/advisories/GHSA-2hmp-5wqg-f24hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1497ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/plotai/PYSEC-2025-22.yamlghsaWEB
News mentions
0No linked articles in our index yet.