Tool Abuse / Excessive AgencyHigh

Vanna.AI prompt injection to RCE (CVE-2024-5565)

June 2024  ·  Vanna.AI

What happened

JFrog showed that user input to Vanna's text-to-SQL ask() method, with the default visualize=True, flowed into dynamically executed Plotly code, so a crafted prompt achieved remote code execution on the host instead of returning a chart (CVE-2024-5565, CVSS 8.1).

Root cause

LLM-influenced output was passed into Python exec() to build visualizations with no sandboxing, letting prompt injection cross from the model layer into host code execution.

Fix / outcome

Vanna added sandboxing guidance after coordinated disclosure. Treat any LLM-influenced output that reaches a code evaluator as untrusted.

Sources

JFrog Security Research (discoverer)

Learn this attack class

This incident is an example of Tool Abuse / Excessive Agency. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database