Login Sign Up

CVE-2023-39660

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in pandasai allows remote attackers to execute arbitrary code by sending specially crafted requests to the prompt function. It affects all systems running pandasai version 0.8.0 or earlier. The high CVSS score indicates critical severity with network-accessible attack vectors.

💻 Affected Systems

Products:
  • pandasai
Versions: v0.8.0 and all earlier versions
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any deployment using the vulnerable prompt function is affected regardless of configuration.

📦 What is this software?

Pandasai by Gabrieleventuri

View all CVEs affecting Pandasai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege controls, potentially containing the breach to isolated environments.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability allows code injection through crafted requests to the prompt function, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.8.1 or later

Vendor Advisory: https://github.com/gventuri/pandas-ai/issues/399

Restart Required: Yes

Instructions:

1. Stop the pandasai service. 2. Update pandasai using pip: 'pip install --upgrade pandasai'. 3. Verify version is 0.8.1 or higher. 4. Restart the service.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to pandasai endpoints to trusted IPs only

iptables -A INPUT -p tcp --dport <pandasai_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <pandasai_port> -j DROP

Disable Vulnerable Function

all

Temporarily disable or restrict access to the prompt function

Modify application configuration to disable prompt endpoint

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to isolate pandasai instances
  • Deploy application-level WAF with RCE protection rules and input validation

🔍 How to Verify

Check if Vulnerable:

Check pandasai version: 'pip show pandasai' or 'python -c "import pandasai; print(pandasai.__version__)"'

Check Version:

python -c "import pandasai; print(pandasai.__version__)"

Verify Fix Applied:

Confirm version is 0.8.1 or higher and test prompt function with safe inputs

📡 Detection & Monitoring

Log Indicators:

  • Unusual prompt function calls
  • Suspicious code patterns in prompt inputs
  • Unexpected process spawns from pandasai

Network Indicators:

  • Unusual outbound connections from pandasai server
  • Large data transfers following prompt requests

SIEM Query:

source="pandasai" AND (event="prompt_execution" OR event="code_execution")

📊 Metadata

CVE ID: CVE-2023-39660
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: August 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39660, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)