| Title | Sinaptik AI PandasAI <= 3.0.0 Path Traversal (CWE-22) |
|---|
| Description | # Technical Details
An Arbitrary File Read vulnerability exists in the SQL safety validator `pandasai/helpers/sql_sanitizer.py` of Sinaptik AI PandasAI.
The is_sql_query_safe() function uses a keyword blocklist to prevent malicious SQL but fails to block DuckDB-specific table functions (read_csv_auto, read_parquet, read_json, read_text). An attacker can craft a SELECT query that passes all safety checks while using these functions to read arbitrary files: SELECT * FROM read_csv_auto('/etc/passwd'). Additionally, ViewDatasetLoader.execute_local_query() skips the safety check entirely for local source types.
# Vulnerable Code
File: pandasai/helpers/sql_sanitizer.py (lines 40-108)
Method: is_sql_query_safe()
Why: Blocklist only covers INSERT/UPDATE/DELETE/DROP etc. but not read_csv_auto, read_parquet, read_json, read_text. Additionally, ViewDatasetLoader.execute_local_query() (view_loader.py lines 80-87) executes queries without any safety check.
# Reproduction
1. Application exposes PandasAI Agent.chat() or SQL execution via LocalDatasetLoader.
2. Send: SELECT * FROM read_csv_auto('/etc/passwd', header=False, sep=':')
3. Standard DROP/DELETE queries are blocked (HTTP 403) but read_csv_auto passes and returns /etc/passwd contents.
# Impact
- Arbitrary local file read (/etc/passwd, .env files, SSH keys).
- Exfiltrate API keys, database credentials, application secrets.
- Potential SSRF if DuckDB httpfs extension is available. |
|---|
| Source | ⚠️ https://gist.github.com/YLChen-007/0ea2685789929bdb6363f5aebb7cba9a |
|---|
| User | Eric-b (UID 96354) |
|---|
| Submission | 03/12/2026 02:56 (17 days ago) |
|---|
| Moderation | 03/27/2026 14:48 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 353884 [Sinaptik AI PandasAI up to 3.0.0 sql_sanitizer.py is_sql_query_safe path traversal] |
|---|
| Points | 20 |
|---|