PT-2025-12294 · Pandas+1 · Pandas+1

Published

2025-03-20

Updated

2025-03-23

CVE-2024-9880

CVSS v3.1

8.4

High

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions pandas-dev/pandas versions up to and including v2.2.2

Description A command injection issue exists in the pandas.DataFrame.query function, allowing an attacker to execute arbitrary commands on the server by crafting a malicious query. The issue arises from the improper validation of user-supplied input in the query function when using the 'python' engine, leading to potential remote command execution.

Recommendations For versions up to and including v2.2.2, consider disabling the pandas.DataFrame.query function when using the 'python' engine until a patch is available, or restrict the input to the query function to prevent malicious queries.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2024-9880

Affected Products

Debian

Pandas

PT-2025-12294 · Pandas+1 · Pandas+1

CVE-2024-9880

Weakness Enumeration

Related Identifiers

Affected Products

References · 13