PyPI package
pandasai
pkg:pypi/pandasai
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-12366 | Cri | 9.8 | <= 2.4.2 | — | Feb 11, 2025 | PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM. | |
| CVE-2024-23752 | — | <= 1.5.17 | — | Jan 22, 2024 | GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of thi | ||
| CVE-2023-39660 | — | < 0.8.1 | 0.8.1 | Aug 21, 2023 | An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function. | ||
| CVE-2023-39661 | — | <= 0.8.1 | — | Aug 15, 2023 | An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function. |
- affected <= 2.4.2
PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM.
- CVE-2024-23752Jan 22, 2024affected <= 1.5.17
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. An attacker can create a dataframe that provides an English language specification of thi
- CVE-2023-39660Aug 21, 2023affected < 0.8.1fixed 0.8.1
An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function.
- CVE-2023-39661Aug 15, 2023affected <= 0.8.1
An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function.