CVE-2024-12366
Published: 11 February 2025
Summary
CVE-2024-12366 is a critical-severity an unspecified weakness vulnerability in Getpanda (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Data Processing Libraries; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: LLM Prompt Injection (AML.T0051), LLM Jailbreak (AML.T0054).
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
PandasAI contains a vulnerability in its interactive prompt function that permits prompt injection attacks. Rather than generating an intended natural language explanation via the underlying LLM, an attacker-supplied prompt can cause the library to execute arbitrary Python code, resulting in remote code execution on the host system. The affected component is the core prompt-handling logic in PandasAI, which processes untrusted natural-language input without sufficient isolation or sandboxing.
An unauthenticated attacker with network access can supply a malicious prompt that bypasses the intended LLM workflow and directly executes Python statements. Successful exploitation grants full confidentiality, integrity, and availability impact, consistent with the CVSS 9.8 rating that reflects no required authentication or user interaction.
Public references point to PandasAI security documentation covering privacy controls and an advanced security agent feature, along with a CERT vulnerability note, but do not detail specific patches or configuration changes that close the injection path.
The associated EPSS score remains flat at 0.0781 with no observed increase after disclosure. The issue is specific to an LLM-integrated data-analysis library and therefore affects organizations using PandasAI for natural-language querying of data sets.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50809
Vulnerability details
PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Data Processing Libraries
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- Classification Reason
- Matched keywords: llm, prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The prompt injection vulnerability enables remote code execution via arbitrary Python code, mapping to T1059.006 (Command and Scripting Interpreter: Python) for execution and T1203 (Exploitation for Client Execution) as it exploits a software vulnerability in PandasAI.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the PandasAI prompt injection vulnerability by requiring identification, reporting, and patching of the specific flaw enabling RCE.
Validates natural language inputs to the interactive prompt function to block prompt injection attacks that hijack LLM processing for arbitrary code execution.
Protects against unauthorized code execution resulting from successful prompt injections by implementing memory protections like executable space restrictions.