CVE-2025-1497
moderate-risk
Published 2025-03-10
A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.
Do I need to act?
~
5.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 192754bd34a1119e92b1bd66552fd0ed268db213, bdcfb13484f0b85703a4c1ddfd71cb21840e7fde
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Plotai
Affected Vendors
References (4)
Third Party Advisory
https://cert.pl/en/posts/2025/03/CVE-2025-1497
Third Party Advisory
https://cert.pl/posts/2025/03/CVE-2025-1497
Product
https://github.com/mljar/plotai
45
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
8/34 · Low
Exposure
5/34 · Minimal