CVE-2024-3408
published 2024-06-06CVE-2024-3408: man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
77.95%
99.5th percentile
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| man-group | dtale | >= 0 < 32bd6fb4a63de779ff1e51823a456865ea3cbd13 | 32bd6fb4a63de779ff1e51823a456865ea3cbd13 |
| man-group | dtale | 0 – 3.10.0 | — |
| man-group | man-group_dtale | >= unspecified < 3.13.1 | 3.13.1 |
| man | d-tale | — | — |
Detection & IOCsextracted from sources · hover to see the quote
versionD-Tale 3.10.0 - 3.15.1
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dtale/test-filter/"; startswith; fast_pattern; content:"|3f|query|3d|"; within:50; content:"|40|pd.core.frame.com.builtins.__import__|28 27|os|27 29|.system|28 27|"; within:150; reference:url,github.com/rapid7/metasploit-framework/pull/19899; reference:cve,2024-3408; reference:cve,2025-0655; classtype:attempted-admin; sid:2060720; rev:1; metadata:affected_product D_Tale, attack_target Server, tls_state plaintext, created_at 2025_03_10, cve CVE_2025_0655, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect exploitation attempts by monitoring HTTP GET requests to /dtale/test-filter/ containing the pandas code injection pattern: `@pd.core.frame.com.builtins.__import__('os').system(...)` in the `query` parameter.
- →Monitor for HTTP GET requests to /dtale/update-settings/ with a body or query string containing `enable_custom_filters=true` (URL-encoded: `%22enable_custom_filters%22%3Atrue`), which is the prerequisite step to enable RCE.
- →Flag use of the known forged Flask session cookie value associated with this CVE's PoC exploit: `eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoibnVjbGVpIn0.aYJDsw.w3AZyplKpvDzuqV5CJIsYdRbKYg`.
- →Use Shodan/FOFA queries `title:"D-Tale"` / `title="D-Tale"` to identify exposed D-Tale instances for proactive asset discovery.
- →The exploit follows a 4-step HTTP sequence: (1) GET /dtale/popup/upload to fingerprint version, (2) POST /dtale/upload to create a dataset, (3) GET /dtale/update-settings/ to enable custom filters, (4) GET /dtale/test-filter/ with malicious query payload. Correlate these four requests from the same source IP.
- ·The hardcoded Flask SECRET_KEY is only exploitable for authentication bypass when authentication is enabled on the D-Tale instance. If auth is disabled, the forged session cookie is unnecessary but RCE via filter injection may still be possible. ↗
- ·The custom filter RCE vector is exploitable even when `enable_custom_filters` is NOT enabled by default, because the /update-settings endpoint can be abused to toggle it on at runtime. ↗
- ·CVE-2025-0655 is a related but distinct bypass that leverages the same /test-filter RCE primitive; the Metasploit module and Snort rule reference both CVEs. Detections covering the filter injection pattern will catch both. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-3408: man-group/dtale version 3
osv·2024-06-06
CVE-2024-3408 CVE-2024-3408: man-group/dtale version 3
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
GHSA
Authentication bypass in dtale
ghsa·2024-06-06
CVE-2024-3408 [HIGH] CWE-20 Authentication bypass in dtale
Authentication bypass in dtale
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
OSV
Authentication bypass in dtale
osv·2024-06-06
CVE-2024-3408 [HIGH] Authentication bypass in dtale
Authentication bypass in dtale
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
VulnCheck
man d-tale Use of Hard-coded Credentials
vulncheck·2024·CVSS 9.8
CVE-2024-3408 [CRITICAL] man d-tale Use of Hard-coded Credentials
man d-tale Use of Hard-coded Credentials
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
Affected: man d-tale
Required Action: Apply remediations or mitigations per vendor instruction
Suricata
ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655)
suricata·2025-03-10·CVSS 6.9
CVE-2024-3408 [MEDIUM] ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655)
ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dtale/test-filter/"; startswith; fast_pattern; content:"|3f|query|3d|"; within:50; content:"|40|pd.core.frame.com.builtins.__import__|28 27|os|27 29|.system|28 27|"; within:150; reference:url,github.com/rapid7/metasploit-framework/pull/19899; reference:cve,2024-3408; reference:cve,2025-0655; classtype:attempted-admin; sid:2060720; rev:1; metadata:affected_product D_Tale, attack_target Server, tls_state plaintext, created_at 2025_03_10, cve CVE_2025_0655, deployment Perimeter, deployment Internal, perfo
Metasploit
D-Tale RCE
metasploit·CVSS 9.8
CVE-2024-3408 [CRITICAL] D-Tale RCE
D-Tale RCE
This exploit effectively serves as a bypass for CVE-2024-3408. An attacker can override global state to enable custom filters, which then facilitates remote code execution. Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the enable_custom_filters feature, typically restricted to trusted environments. Once enabled, the /test-filter endpoint of the Custom Filters functionality can be exploited to execute arbitrary system commands.
Nuclei
D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-3408 [CRITICAL] D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution
D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution
man-group/dtale 3.10.0 contains an authentication bypass and remote code execution caused by improper input validation and a hardcoded SECRET_KEY in Flask configuration, letting attackers forge session cookies and execute arbitrary code, exploit requires attacker to access the application.
Template:
id: CVE-2024-3408
info:
name: D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution
author: ohmygod20260203
severity: critical
description: |
man-group/dtale 3.10.0 contains an authentication bypass and remote code execution caused by improper input validation and a hardcoded SECRET_KEY in Flask configuration, letting attackers forge session cookies and execute arbitrary code, exploit requires attacker t
2024-06-06
Published
Exploited in the wild