Vanna AI Vanna CORS Origin Reflection Vulnerability in FastAPI/Flask Server

A CORS misconfiguration vulnerability has been identified in Vanna AI's Vanna product, affecting versions through 2.0.2. The issue arises from the FastAPI and Flask server implementations, where the server reflects any 'Origin' request header value into the 'Access-Control-Allow-Origin' response header, while also setting 'Access-Control-Allow-Credentials' to true. This misconfiguration allows an attacker-controlled website to make authenticated cross-origin requests to the Vanna API on behalf of a victim user, potentially leading to unauthorized access to sensitive data.

Impact

Exploitation of this vulnerability allows an attacker to perform API actions on behalf of authenticated users, exfiltrate sensitive query results from the database cross-origin, and requires user interaction to execute.

Reproduction

To reproduce this vulnerability, install Vanna version 2.0.2 with FastAPI support. Start the server with the default configuration, which will listen on 'http://0.0.0.0:8000'. Send a CORS preflight request to the server's API endpoint, including an attacker-controlled 'Origin' header. The server will respond with the 'Access-Control-Allow-Origin' header reflecting the attacker's origin and 'Access-Control-Allow-Credentials' set to true. This response can be verified by sending another preflight request with a different origin and observing the same reflection behavior. Once confirmed, the vulnerability can be exploited by sending a request from a page hosted on the attacker-controlled origin, using the victim's credentials to access the Vanna API and exfiltrate data.

Remediation

It is recommended to replace the permissive CORS defaults with an explicit origin whitelist, disallowing credentials by default. Alternatively, the application can be configured to allow specific origins while ensuring 'allow_credentials' is not set to true.