vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as pg_read_file(). This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like /etc/passwd, by exploiting the exposed SQL queries via a Python Flask API.
In the latest version of vanna-ai/vanna, the vanna.ask function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in src/vanna/base/base.py. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the …
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.