vanna@0.0.28 vulnerabilities

Generate SQL queries from natural language

Direct Vulnerabilities

Known vulnerabilities in the vanna package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
SQL Injection

vanna is a Generate SQL queries from natural language

Affected versions of this package are vulnerable to SQL Injection through the pg_read_file function. An attacker can read arbitrary local files on the server by exploiting exposed SQL queries.

Note

By default pg_read_file() is restricted to superusers, but other users can be granted the EXECUTE permission to run this function.

How to fix SQL Injection?

There is no fixed version for vanna.

[0,)
  • M
SQL Injection

vanna is a Generate SQL queries from natural language

Affected versions of this package are vulnerable to SQL Injection through the integration of DuckDB with Flask Web APIs. An attacker can manipulate SQL training data to generate queries that write arbitrary files on the victim's system, potentially leading to unauthorized command execution or the creation of backdoors.

How to fix SQL Injection?

There is no fixed version for vanna.

[0,)
  • C
Code Injection

vanna is a Generate SQL queries from natural language

Affected versions of this package are vulnerable to Code Injection via the src/vanna/base/base.py file, where function exec execute the plotly_code which is generated by LLM in function generate_plotly_code. An attacker can achieve RCE on the app backend server via prompt injection and gain the full control of the server.

How to fix Code Injection?

There is no fixed version for vanna.

[0,)
  • H
Improper Input Validation

vanna is a Generate SQL queries from natural language

Affected versions of this package are vulnerable to Improper Input Validation allowing prompt injection via the ask method with the visualize parameter set to True. An attacker can execute arbitrary code by injecting malicious input into the prompt function. This is only exploitable if the visualize parameter is enabled, which is the default setting.

How to fix Improper Input Validation?

There is no fixed version for vanna.

[0,)