Slide 12 · Attack Pattern 3 of 4
You asked for a sales report. The attacker got your user table.
CVE-2024-5565 — Vanna.AI — CVSS 9.2 Critical
How It Works
Text-to-SQL systems translate natural language questions into SQL queries, then execute those queries directly. An attacker crafts a question that causes the LLM to produce malicious SQL. Without parameterized queries or query validation, that SQL runs as-is — including any injected clauses.
Real Incident
Vanna.AI Prompt Injection to RCE
CVE-2024-5565 · CVSS 9.2 Critical · JFrog Security Research, June 2024
Vanna.AI converts natural language to SQL and then generates Plotly visualization code from the results. JFrog researchers found that a prompt injection attack could cause the LLM to embed arbitrary Python in the Plotly generation step. That Python executed via exec(). The attack chain: LLM → SQL → Plotly Python → exec() → OS command execution. The researcher achieved full RCE on the host running Vanna.AI without authentication. CVSS 9.2 under the v4.0 scoring model.
Takeaway: Every layer that passes LLM output downstream is an attack surface. Vanna.AI had two: the SQL query and the visualization code. Neither was sanitized. JFrog disclosed responsibly; Vanna issued hardening guidance recommending sandboxed execution environments.
sql = llm.generate_sql(user_question)
results = db.execute(sql)
plot_code = llm.generate_plotly(results)
exec(plot_code)