CVE-2025-1497: Remote Code Execution in PlotAI

9.3 CVSS

Description

A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code.
Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.

Classification

CVE ID: CVE-2025-1497

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected Products

Vendor: MLJAR

Product: PlotAI

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.42% (probability of being exploited)

EPSS Percentile: 59.41% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1497
https://cert.pl/posts/2025/03/CVE-2025-1497
https://cert.pl/en/posts/2025/03/CVE-2025-1497
https://github.com/mljar/plotai
https://github.com/mljar/plotai/commit/bdcfb13484f0b85703a4c1ddfd71cb21840e7fde

Timeline

2025-03-10 14:40:18 UTC
CVE

Remote Code Execution in PlotAI