AVID-2026-R1282

Description

D-Tale vulnerable to Remote Code Execution through the Custom Filter Input (CVE-2023-46134)

Details

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off “Custom Filter” input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.

Reason for inclusion in AVID: CVE-2023-46134 describes a remote code execution vulnerability in D-Tale (a Flask/React-based tool for viewing and analyzing pandas data), prior to version 3.7.0. D-Tale is commonly used in data science workflows and can be part of AI data preparation or experimentation pipelines. The vulnerability is a security flaw (RCE risk) in a software component that could be used within AI system stacks, thus representing a software supply-chain vulnerability for general-purpose AI systems. The report provides explicit vulnerability details, affected versions, and a patch/workaround, supporting classification as an exploitable security issue with clear evidence.

References

• NVD entry
• https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm
• https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668

Affected or Relevant Artifacts

• Developer: man-group
• Deployer: man-group
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2023-10-25
• Version: 0.3.3
• AVID Entry