CVE-2024-21642 HIGH

CVE-2024-21642: D-Tale server-side request forgery through Web uploads

Vendor Man-Group

Product dtale

Weakness CWE-918 · SSRF

Published January 5, 2024

Last update June 17, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

Key dates

02Disclosure timeline

January 5, 2024 CVE published

June 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-21642

Related vulnerabilities

04Related CVE

CVE-2024-13695 Enfold <= 6.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id CVE-2024-31993 Mealie vulnerable to a GET-based SSRF in recipe image importer (GHSL-2023-227) CVE-2026-0600 Nexus Repository 3 - Server-Side Request Forgery in Proxy Repository Configuration CVE-2025-0480 wuzhicms config.php test server-side request forgery CVE-2026-7604 JeecgBoot OpenApi Service OpenApiController.java OpenApiController.call server-side request forgery