CVE-2024-57609

CVE-2024-57609 is a code injection vulnerability (CWE-94) affecting Kanaries Inc's Pygwalker library in versions prior to 0.4.9.9. The flaw resides in the login redirection function, where the redirect_path parameter is insufficiently sanitized, enabling a remote attacker to obtain sensitive information and execute arbitrary code. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact.

A remote attacker can exploit this vulnerability without authentication by crafting a malicious request targeting the redirect_path parameter during login redirection. Successful exploitation allows the attacker to steal sensitive data from the affected application and execute arbitrary code within the context of the Pygwalker process, potentially leading to full server compromise depending on the deployment environment.

Mitigation involves upgrading to Pygwalker version 0.4.9.9 or later, as indicated by the vulnerability description specifying affected versions. Additional details on exploitation, proof-of-concept, and remediation are available in the advisory at https://github.com/nca785/CVE-2024-57609/.