Vulnerability Description
In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://huntr.com/bounties/90620087-44ac-4e43-b659-3c5d30889369
- https://huntr.com/bounties/90620087-44ac-4e43-b659-3c5d30889369
FAQ
What is CVE-2024-5826?
CVE-2024-5826 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated c...
How severe is CVE-2024-5826?
CVE-2024-5826 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-5826?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.