Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks

27-June-24

A high-severity security vulnerability, CVE-2024-5565, has been identified in the Vanna.AI library, a Python-based machine learning tool used for querying SQL databases. This flaw, rated with a CVSS score of 8.1, allows for remote code execution via prompt injection techniques in the library’s “ask” function. By manipulating prompts, attackers can trick Vanna into executing arbitrary Python code instead of intended visualization commands, potentially compromising the underlying system. This vulnerability underscores the risks associated with using generative AI models without robust security measures, highlighting the need for stringent input validation and secure coding practices in AI applications.

Read More…