CVE-2025-1497
PlotAI eval vulnerability
9.8
CRITICAL
CVSS 3.1
EPSS 5.6%
Description
A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk. The vendor does not plan to release a patch to fix this vulnerability.
How to fix CVE-2025-1497
To remediate CVE-2025-1497, upgrade the affected package to a fixed version below.
- —upgrade to 0.0.7 or later
- —upgrade to bdcfb13484f0b85703a4c1ddfd71cb21840e7fde or later
Is CVE-2025-1497 being exploited?
Moderate — EPSS is 5.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 0.0.7
- from 0, < bdcfb13484f0b85703a4c1ddfd71cb21840e7fde | from 0, < 0.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |