CVE-2025-1497: PlotAI eval vulnerability
(updated )
A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk.
References
- cert.pl/en/posts/2025/03/CVE-2025-1497
- cert.pl/posts/2025/03/CVE-2025-1497
- github.com/advisories/GHSA-2hmp-5wqg-f24h
- github.com/mljar/plotai
- github.com/mljar/plotai/commit/bdcfb13484f0b85703a4c1ddfd71cb21840e7fde
- github.com/pypa/advisory-database/tree/main/vulns/plotai/PYSEC-2025-22.yaml
- nvd.nist.gov/vuln/detail/CVE-2025-1497
Code Behaviors & Features
Detect and mitigate CVE-2025-1497 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →