CVE-2025-1497: PlotAI eval vulnerability

March 10, 2025

A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk.

References

cert.pl/en/posts/2025/03/CVE-2025-1497
cert.pl/posts/2025/03/CVE-2025-1497
github.com/advisories/GHSA-2hmp-5wqg-f24h
github.com/mljar/plotai
github.com/mljar/plotai/commit/bdcfb13484f0b85703a4c1ddfd71cb21840e7fde
nvd.nist.gov/vuln/detail/CVE-2025-1497

Detect and mitigate CVE-2025-1497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →