CVE-2025-0655 Information

Description

A vulnerability in man-group/dtale versions 3.15.1 allows an attacker to override global state settings to enable the enable_custom_filters feature which is typically restricted to trusted environments. Once enabled the attacker can exploit the /test-filter endpoint to execute arbitrary system commands leading to remote code execution (RCE). This issue is addressed in version 3.16.1.

Reference

https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a https://huntr.com/bounties/f63af7bd-5438-4b36-a39b-4c90466cff13 https://huntr.com/bounties/f63af7bd-5438-4b36-a39b-4c90466cff13