skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
January 11, 2024

GHSL-2023-262: Server-side request forgery (SSRF) vulnerability in Dtale 3.8.1 - CVE-2024-21642

Sylwia Budzynska

Coordinated Disclosure Timeline


Dtale 3.8.1 is vulnerable to server-side request forgery (SSRF) vulnerability.



Tested Version



SSRF in (GHSL-2023-262)

The web_upload function in dtale/ takes a user-controlled url parameter and passes it to loader_func in dtale/cli/loaders/, which then passes it to handle_path function in dtale/cli/, which uses the destination defined in url to make a GET request on line 244. There are no limitations set on what url could contain, which leads to server-side request forgery (SSRF). The contents of the requested files from the url can be then read inside dtale.


def handle_path(path, kwargs, resp_handler=handle_str_content):
    if is_url(path):
        proxy = kwargs.pop("proxy", None)
        req_kwargs = {}
        if proxy is not None:
            req_kwargs["proxies"] = dict(http=proxy, https=proxy)
        resp = requests.get(path, **req_kwargs)
        assert resp.status_code == 200
        return resp_handler(resp)
    return path

This issue was found with the help of CodeQL Full server-side request forgery query.


This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet.

This issue allows for viewing any files from arbitrary sources that dtale can process: csv, tsv, json, excel, parquet and txt. For all other file types, it is a blind server side request forgery.



This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).


You can contact the GHSL team at, please include a reference to GHSL-2023-262 in any communication regarding this issue.