CVE-2024-8099
HIGHvanna-ai/vanna - Server-Side Request Forgery via DuckDB SQL Query Functions
Title source: llmDescription
A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of vanna-ai/vanna when using DuckDB as the database. An attacker can exploit this vulnerability by submitting crafted SQL queries that leverage DuckDB's default features, such as `read_csv`, `read_csv_auto`, `read_text`, and `read_blob`, to make unauthorized requests to internal or external resources. This can lead to unauthorized access to sensitive data, internal systems, and potentially further attacks.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/19b96694-ed52-4ee4-8d2c-6cc7bd09c0ad
Scores
CVSS v3
8.3
EPSS
0.0033
EPSS Percentile
24.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
vanna-ai/vanna-ai/vanna
unspecified - latest
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026