Vanna-AI Vanna Server-Side Request Forgery Vulnerability When Using DuckDB

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the latest version of Vanna-AI Vanna, specifically when DuckDB is used as the database. This vulnerability allows attackers to exploit default DuckDB functions, such as 'read_csv', 'read_csv_auto', 'read_text', and 'read_blob', to make unauthorized requests to internal or external resources. As a result, sensitive data, internal systems, and potentially further attack vectors could be compromised.

Impact

Exploitation of this vulnerability allows for unauthorized requests to be sent from the server to external or internal resources, bypassing security controls. This could lead to access and retrieval of sensitive data, disruption of services, or unauthorized interactions with internal systems. Additionally, such SSRF vulnerabilities can be used for further attacks, such as port scanning, accessing metadata services, or executing arbitrary code on backend systems, depending on the server's configuration and the attacker's objectives.

Reproduction

To reproduce this vulnerability, use Vanna-AI Vanna with DuckDB as the database. After setting up a Flask application that serves internal content, upload a CSV file through Vanna's SQL query interface. When prompted about the query results, respond negatively to customize the query. Then, execute a crafted SQL query that uses one of the vulnerable DuckDB functions to read from the internal Flask server. The application will return the internal web content, demonstrating the SSRF exploitation.

Remediation

Users are advised to sanitize SQL queries before execution to prevent the use of DuckDB functions that can initiate SSRF attacks.