SQL Injection Vulnerability in Vanna-ai by the Vendor
CVE-2024-7764

8.1HIGH

Key Information:

Vendor: Vanna-ai
Status: Vanna-ai/vanna
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-7764?

Vanna-ai v0.6.2 is susceptible to SQL Injection due to inadequate safeguards against malicious SQL command injection via user inputs. The issue originates from the generate_sql function, which invokes the extract_sql method using the response from a large language model (LLM). An attacker can exploit this vulnerability by inserting a semi-colon between valid search parameters and their own SQL command. This action can trick the extract_sql function into discarding legitimate LLM-generated SQL, resulting in the execution of arbitrary SQL commands if they are validated by the is_sql_valid function. Consequently, this flaw permits executing commands beyond the standard trained schema, raising significant security concerns.

Affected Version(s)

vanna-ai/vanna <= unspecified

References

https://huntr.com/bounties/85d403b1-fbed-42e9-9ec1-2f79ab...

CVSS V3.0

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Aug 13, 2024