Unsafe deserialization vulnerability CVE-2024-37064

Question

Unsafe deserialization vulnerability CVE-2024-37064

hakan-77 opened this issue 7 months ago · 2 comments

Current Behaviour

Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when loaded.

https://nvd.nist.gov/vuln/detail/CVE-2024-37064
https://hiddenlayer.com/sai-security-advisory/ydata-june2024

Expected Behaviour

Secured

Data Description

N/A

Code that reproduces the bug

No response

pandas-profiling version

= 3.7.0, <= 4.8.3

Dependencies

N/A

OS

All OSes

Checklist

There is not yet another bug report for this issue in the issue tracker
The problem is reproducible from this bug report. This guide can help to craft a minimal bug report.
The issue has not been resolved by the entries listed under Common Issues.