Arbitrary Command Execution The advisory has been revoked - it doesn't affect any version of package pandas  (opens in a new tab)

This was deemed not a vulnerability.

pandas is a Python package providing data structures designed to make working with structured (tabular, multidimensional, potentially heterogeneous) and time series data both easy and intuitive.

Affected versions of this package are vulnerable to Arbitrary Command Execution in the pandas.DataFrame.query() function, which is commonly exposed by applications to accept user input. Code can be injected into a Python expression, which will be executed with the privileges of the application.

Note:

This behavior is not considered a vulnerability in this library because no guarantee of security is made by pandas. Notwithstanding this separation of concerns, this issue can be exploited when unsanitized input is allowed and developers should be aware of the potential consequences. Instances of exploitable public endpoints have been reported.

A warning has been added to the package's documentation to indicate that query() can evaluate arbitrary code, just like eval(). To prevent against this, developers are strongly encouraged to parameterize the queries that this method accepts as input, and to sanitize those input parameters to ensure they take the expected form.

The corresponding CVE, which is still only reserved, is expected to be rejected on the basis of the facts outlined above.

@pd.core.frame.com.builtins.__import__("os").system("""ping google.com #""")

• GitHub Issue
• PoC
• Vulnerable Code