Mindinventory MindSQL Prompt Injection Vulnerability Leading to Remote Code Execution

A prompt injection vulnerability has been identified in Mindinventory MindSQL versions through 0.2.1. This vulnerability resides in the `ask_db` function within the file `mindsql/core/mindsql_core.py`. The issue arises when untrusted user input is sent to a large language model (LLM) to generate SQL and potentially Python visualization code. If the application executes LLM-generated Python—such as for creating Plotly charts—an attacker could manipulate the prompt to produce harmful Python code, which might be executed on the host, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for code injection, with the potential execution of malicious Python commands on the host system, according to the vulnerability advisory.

Reproduction

To reproduce this vulnerability, first ensure that the MindSQL application is set up to generate visualization code from LLM output. This can be done by using a `visualize=True` option. Once the application is configured, an attacker can inject a prompt that instructs the LLM to ignore previous directives related to Plotly and to output Python code embedding an OS command execution payload. The injected prompt must be crafted to ensure that the SQL execution result meets certain conditions, such as returning multiple columns, to successfully execute the injected command.