Sinaptik AI PandasAI Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Sinaptik AI PandasAI versions prior to 3.0.0. The issue arises in the CodeExecutor class, specifically within the execute method, where user-generated Python code is executed using the native exec() function. This execution has full access to the __builtins__ module and occurs without any sandboxing, allowing for arbitrary code execution on the host system.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where PandasAI is running. The executed code runs with the same privileges as the application, potentially leading to a full compromise of the server. This includes the ability to read and write arbitrary files, such as credentials and SSH keys, install backdoors or reverse shells, move laterally within the network, and exfiltrate data.

Reproduction

To reproduce this vulnerability, create a PandasAI Agent with the default configuration, which does not include sandboxing. Then, send a prompt injection payload that includes malicious Python code, such as a command to execute a system command. The injected code will be executed on the host system, demonstrating the remote code execution vulnerability.