Cyber Resilience

CVE-2024-12366

Critical

Published: 11 February 2025

Published
11 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0781 92.2th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12366 is a critical-severity an unspecified weakness vulnerability in Getpanda (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Data Processing Libraries; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: LLM Prompt Injection (AML.T0051), LLM Jailbreak (AML.T0054).

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

PandasAI contains a vulnerability in its interactive prompt function that permits prompt injection attacks. Rather than generating an intended natural language explanation via the underlying LLM, an attacker-supplied prompt can cause the library to execute arbitrary Python code, resulting in remote code execution on the host system. The affected component is the core prompt-handling logic in PandasAI, which processes untrusted natural-language input without sufficient isolation or sandboxing.

An unauthenticated attacker with network access can supply a malicious prompt that bypasses the intended LLM workflow and directly executes Python statements. Successful exploitation grants full confidentiality, integrity, and availability impact, consistent with the CVSS 9.8 rating that reflects no required authentication or user interaction.

Public references point to PandasAI security documentation covering privacy controls and an advanced security agent feature, along with a CERT vulnerability note, but do not detail specific patches or configuration changes that close the injection path.

The associated EPSS score remains flat at 0.0781 with no observed increase after disclosure. The issue is specific to an LLM-integrated data-analysis library and therefore affects organizations using PandasAI for natural-language querying of data sets.

EU & UK References

Vulnerability details

PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM.

CWE(s)
None listed

AI Security AnalysisAI

AI Category
Data Processing Libraries
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
LLM01:2025 Prompt Injection
Classification Reason
Matched keywords: llm, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The prompt injection vulnerability enables remote code execution via arbitrary Python code, mapping to T1059.006 (Command and Scripting Interpreter: Python) for execution and T1203 (Exploitation for Client Execution) as it exploits a software vulnerability in PandasAI.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0051: LLM Prompt InjectionAML.T0054: LLM Jailbreak

Affected Assets

Getpanda
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the PandasAI prompt injection vulnerability by requiring identification, reporting, and patching of the specific flaw enabling RCE.

prevent

Validates natural language inputs to the interactive prompt function to block prompt injection attacks that hijack LLM processing for arbitrary code execution.

prevent

Protects against unauthorized code execution resulting from successful prompt injections by implementing memory protections like executable space restrictions.

References