CVE-2024-9880

Name of the Vulnerable Software and Affected Versions pandas-dev/pandas versions up to and including v2.2.2

Description A command injection issue exists in the pandas.DataFrame.query function, allowing an attacker to execute arbitrary commands on the server by crafting a malicious query. The issue arises from the improper validation of user-supplied input in the query function when using the 'python' engine, leading to potential remote command execution.

Recommendations For versions up to and including v2.2.2, consider disabling the pandas.DataFrame.query function when using the 'python' engine until a patch is available, or restrict the input to the query function to prevent malicious queries.