28 June 2024

High-Severity Prompt Injection Flaw in Vanna AI: A Wake-Up Call for Cybersecurity

Artificial intelligence (AI) continues to revolutionize numerous fields, from healthcare to finance, offering unparalleled advancements in automation and data analysis. However, with this rapid technological growth comes an array of security challenges. A recent discovery of a high-severity security flaw in the Vanna.AI library has put a spotlight on these challenges, emphasizing the critical need for robust cybersecurity measures. This vulnerability, identified as CVE-2024-5565 and carrying a CVSS score of 8.1, facilitates remote code execution (RCE) via prompt injection techniques. This blog explores the intricacies of this flaw, the nature of prompt injection attacks, and essential strategies for mitigation to safeguard against such vulnerabilities.

Understanding the Vulnerability

What is Vanna.AI?

Vanna.AI is a Python-based machine learning library designed to simplify the interaction with SQL databases. It allows users to query databases using natural language prompts, which are then translated into SQL queries via a large language model (LLM). This functionality is part of a broader trend to make complex data analysis more accessible through the use of AI, significantly enhancing productivity and efficiency.

The Core Issue: CVE-2024-5565

The vulnerability at the center of this issue is found in the "ask" function of Vanna.AI. Researchers from JFrog, a supply chain security firm, uncovered that this function can be manipulated through carefully crafted prompts, leading to the execution of arbitrary commands on the underlying system. This exploit opens the door to remote code execution, posing a severe risk to the integrity and security of the affected systems.

Prompt Injection Attacks: A Deep Dive

Prompt injection attacks are a sophisticated class of AI jailbreak techniques. They exploit the vulnerabilities inherent in generative AI models, bypassing safety mechanisms to generate harmful or illegal content. These attacks can manipulate AI systems to perform actions or produce outputs that violate the intended use and ethical guidelines of the technology.

Types of Prompt Injection Attacks

  1. Indirect Prompt Injection: In this scenario, attackers use data controlled by third parties, such as incoming emails or editable documents, to inject malicious payloads into the AI system. This type of attack leverages the system's handling of external data to introduce vulnerabilities that can lead to an AI jailbreak.
  2. Many-shot Jailbreak (Crescendo): This method involves a gradual approach, where the attacker starts with harmless dialogue and progressively steers the conversation toward a prohibited objective. Through multiple interactions, the attacker circumvents the model’s safety mechanisms and achieves their malicious intent.
  3. Skeleton Key: A more advanced technique, Skeleton Key involves a multi-turn strategy to disable the model's guardrails permanently. Once these safeguards are compromised, the model can produce any content, regardless of the ethical and safety guidelines initially programmed. This makes the model susceptible to generating harmful or illicit outputs upon direct request.

Security Implications of CVE-2024-5565

The CVE-2024-5565 vulnerability is particularly alarming due to its integration with the Plotly graphing library, used for visualizing SQL query results. The dynamic generation of Plotly code in conjunction with the "ask" function creates a significant security loophole. This setup allows attackers to submit prompts that alter the intended visualization code to execute arbitrary Python code instead.

The Exploit Mechanism

The exploit works by manipulating the text-to-SQL generation process. Vanna.AI's "ask" function, designed to convert user prompts into SQL queries, is leveraged by attackers to inject commands. When the "visualize" option is enabled (the default setting), this malicious prompt can execute arbitrary code instead of producing the intended visual output.

JFrog's research underscores the critical nature of this flaw, highlighting the potential for remote code execution through this method. Allowing external input to the "ask" method with visualization enabled exposes the system to significant risk, emphasizing the need for stringent security measures.

Mitigation and Recommendations

In response to the CVE-2024-5565 vulnerability, Vanna.AI has issued a hardening guide recommending users deploy the Plotly integration within sandboxed environments. This precaution aims to contain potential exploits and prevent arbitrary code execution.

Key Security Measures

  1. Sandboxing: Implementing sandboxing techniques is crucial for any function involving dynamic code generation or external inputs. Sandboxing isolates the execution environment, preventing malicious code from affecting the broader system.
  2. Comprehensive Security Frameworks: Organizations should not rely solely on pre-prompting as a defense mechanism. A robust security framework, incorporating multiple layers of protection, is essential when integrating LLMs with critical resources like databases.
  3. Regular Security Audits: Conducting regular security audits can help identify and mitigate vulnerabilities early. These audits should include thorough testing of all AI-related functionalities to ensure they are not susceptible to prompt injection or other types of attacks.
  4. User Education and Training: Educating users and developers about the risks of prompt injection attacks and best practices for security is vital. Awareness programs and training sessions can help build a culture of cybersecurity within the organization.
  5. Code Reviews and Static Analysis: Regular code reviews and the use of static analysis tools can help detect potential vulnerabilities in the codebase. This practice should be a standard part of the development lifecycle for AI applications.

Broader Implications for AI Security

The discovery of CVE-2024-5565 in Vanna.AI highlights the broader implications of AI security. As AI technologies become more integrated into critical systems, the potential impact of security vulnerabilities grows exponentially. Organizations must adopt a proactive approach to AI security, recognizing that the risks extend beyond traditional cybersecurity threats.

The Need for AI-Specific Security Measures

AI-specific security measures are essential to address the unique challenges posed by generative models. These measures should include:

  • Robust Input Validation: Ensuring that all inputs to AI models are thoroughly validated and sanitized can prevent many forms of prompt injection attacks.
  • Dynamic Monitoring and Response: Implementing dynamic monitoring systems that can detect and respond to unusual or malicious behavior in real-time.
  • Ethical and Responsible AI Guidelines: Developing and enforcing ethical guidelines for AI usage to ensure that models operate within the intended boundaries.


The discovery of the high-severity prompt injection flaw in Vanna AI, tracked as CVE-2024-5565, serves as a critical wake-up call for the cybersecurity community. At digiALERT, we recognize the profound implications this vulnerability holds for organizations leveraging AI technologies. This flaw underscores the urgent need for robust security measures, proactive monitoring, and comprehensive governance frameworks tailored to the unique challenges posed by generative AI models.

The integration of AI into essential systems demands a heightened awareness of potential security risks, such as prompt injection attacks. These vulnerabilities can lead to severe consequences, including remote code execution, compromising the integrity and security of critical data. As this case with Vanna AI demonstrates, relying solely on traditional security practices is insufficient. We must adopt a multi-layered approach to AI security, incorporating sandboxing, regular audits, thorough input validation, and continuous user education.

At digiALERT, we are committed to helping organizations navigate the complexities of AI security. Our expertise in identifying and mitigating risks associated with advanced technologies ensures that our clients can safely harness the transformative power of AI. By fostering a culture of cybersecurity and implementing robust defense mechanisms, we can protect against emerging threats and secure a safer digital future.


Read 74 times Last modified on 28 June 2024


digiALERT is a rapidly growing new-age premium cyber security services firm. We are also the trusted cyber security partner for more than 500+ enterprises across the globe. We are headquartered in India, with offices in Santa Clara, Sacremento , Colombo , Kathmandu, etc. We firmly believe as a company, you focus on your core area, while we focus on our core area which is to take care of your cyber security needs.