Overview
Real-world impact: CVE-2024-5753 affects vanna-ai/vanna v0.3.4 and exposes a SQL injection in file-critical operations such as pg_read_file that can be triggered through a Flask API. The vulnerability allows unauthenticated remote actors to coerce the database into returning arbitrary server files (for example, /etc/passwd) by crafting input that is directly embedded in SQL. This aligns with CWE-89 (SQL Injection), illustrating how untrusted user input fed into dynamic SQL in a Python Flask app can lead to unintended data disclosure from the host system. The risk is amplified when a web-facing Flask route exposes database-backed file-access through unvalidated input.
Threat scenario: An attacker targets a Flask endpoint that builds SQL commands from user-supplied data, such as a file path, and calls a PostgreSQL function like pg_read_file. If the code concatenates input into the SQL string (instead of using parameterization), the attacker can alter the query to read arbitrary server files or escalate access, potentially exposing sensitive configuration or credential data. This pattern demonstrates how Flask apps that rely on dangerous SQL functions without strict input controls become high-value attack surfaces.
Fix approach (Flask-specific): The remediation centers on eliminating untrusted string interpolation in SQL, using parameterized queries, and enforcing strict input validation. Whitelist allowed file paths, constrain the database user to minimal privileges (no access to pg_read_file or to sensitive files), and consider removing or hardening the use of dangerous PostgreSQL functions from the app’s data access layer. If feasible, upgrade to a patched vanna release or replace the functionality with a secure, server-side file reader that does not expose arbitrary server paths.
Implementation guidance: See the codeFixExample below for a concrete vulnerable-vs-fixed comparison in a Flask app, illustrating how to switch from a vulnerable pattern to a safe, parameterized approach with file-path whitelisting.
Affected Versions
v0.3.4
Code Fix Example
Flask API Security Remediation
import os
from flask import Flask, request, jsonify
import psycopg2
# Connect using a URL like: postgres://user:pass@host/db
DATABASE_URL = os.environ.get("DATABASE_URL")
conn = psycopg2.connect(DATABASE_URL) if DATABASE_URL else None
app = Flask(__name__)
@app.route('/read_file_vuln', methods=['GET'])
def read_file_vuln():
# Vulnerable pattern: direct interpolation of user input into SQL
path = request.args.get('path', '')
cur = conn.cursor()
# NEVER DO THIS in production: vulnerable to SQL injection
cur.execute("SELECT pg_read_file('%s')" % path)
row = cur.fetchone()
content = row[0] if row else None
return jsonify({"content": content})
@app.route('/read_file_fix', methods=['GET'])
def read_file_fix():
# Safe pattern: validate input and use parameterized query
path = request.args.get('path', '')
# Whitelist only safe, expected files
ALLOWED_PATHS = {"/etc/passwd", "/proc/self/cpuinfo"}
if path not in ALLOWED_PATHS:
return jsonify({"error": "invalid path"}), 400
cur = conn.cursor()
cur.execute("SELECT pg_read_file(%s)", (path,))
row = cur.fetchone()
content = row[0] if row else None
return jsonify({"content": content})
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)