CVE-2024-9880 Information

Description

A command injection vulnerability exists in the pandas.DataFrame.query function of pandas-dev/pandas versions up to and including v2.2.2. This vulnerability allows an attacker to execute arbitrary commands on the server by crafting a malicious query. The issue arises from the improper validation of user-supplied input in the query function when using the ‘python’ engine leading to potential remote command execution.

Reference

https://huntr.com/bounties/a49baae1-4652-4d6c-a179-313c21c41a8d