CVE-2025-0655: Duplicate Advisory: D-Tale Command Injection vulnerability

March 20, 2025 (updated April 15, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-832w-fhmw-w4f4. This link is maintained to preserve external references.

Original Description

A vulnerability in man-group/dtale versions 3.15.1 allows an attacker to override global state settings to enable the enable_custom_filters feature, which is typically restricted to trusted environments. Once enabled, the attacker can exploit the /test-filter endpoint to execute arbitrary system commands, leading to remote code execution (RCE). This issue is addressed in version 3.16.1.

References

github.com/advisories/GHSA-gjxm-x497-4h6h
github.com/man-group/dtale
github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a
huntr.com/bounties/f63af7bd-5438-4b36-a39b-4c90466cff13
nvd.nist.gov/vuln/detail/CVE-2025-0655

Code Behaviors & Features

Detect and mitigate CVE-2025-0655 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →