A Server-Side Request Forgery (SSRF) vulnerability has been identified in vanna-ai/vanna, specifically when utilizing DuckDB as the database backend. This flaw allows attackers to craft malicious SQL queries that leverage DuckDB's functionalities, such as readcsv, readcsvauto, readtext, and read_blob, to initiate unauthorized requests to both internal and external resources. The vulnerability impacts all versions of vanna-ai/vanna up to the latest release, and a patch is expected to address this issue.
Detect this CVE in your project
Upload your requirements.txt file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The SSRF vulnerability in vanna-ai/vanna poses a significant risk because it enables attackers to bypass security controls and access resources that should be protected. By crafting specific SQL queries, an attacker can manipulate DuckDB into making requests to internal services, external APIs, or even arbitrary URLs. This could lead to the exfiltration of sensitive data stored within the system, unauthorized access to internal network resources, and potentially, the launching of further attacks against other systems. The ability to read arbitrary files via read_csv and related functions expands the potential attack surface considerably, allowing attackers to potentially read configuration files or other sensitive data.
Exploitation Context
CVE-2024-8099 was publicly disclosed on 2025-03-20. The vulnerability's severity is rated HIGH (CVSS 8.3). Currently, there are no known public proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation depends on the configuration of the DuckDB instance and the network environment.
Threat Intelligence
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- Low — partial or intermittent denial of service. Attacker can degrade performance.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2024-8099 is to upgrade to a patched version of vanna-ai/vanna as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds to limit the impact of the vulnerability. These workarounds may include restricting network access for the DuckDB instance, implementing strict input validation on SQL queries to prevent malicious commands, and utilizing a Web Application Firewall (WAF) to filter out suspicious requests. Monitor DuckDB logs for unusual activity, particularly requests to unexpected URLs. After upgrading, verify the fix by attempting to trigger the SSRF vulnerability with a known malicious query and confirming that the request is blocked or fails.
How to fix
Update the vanna-ai/vanna library to the latest available version. This should include the fix for the SSRF vulnerability. Verify the release notes to confirm that the vulnerability has been addressed.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2024-8099 — SSRF in vanna-ai/vanna?
CVE-2024-8099 is a Server-Side Request Forgery vulnerability in vanna-ai/vanna that allows attackers to make unauthorized requests through DuckDB's read_csv functions, potentially accessing sensitive data.
Am I affected by CVE-2024-8099 in vanna-ai/vanna?
If you are using vanna-ai/vanna with DuckDB as the database and have not upgraded to a patched version, you are potentially affected by this SSRF vulnerability.
How do I fix CVE-2024-8099 in vanna-ai/vanna?
The recommended fix is to upgrade to a patched version of vanna-ai/vanna as soon as it becomes available. Until then, implement workarounds like restricting network access and input validation.
Is CVE-2024-8099 being actively exploited?
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Where can I find the official vanna-ai advisory for CVE-2024-8099?
Refer to the official vanna-ai project repository and security advisories for updates and the latest information regarding CVE-2024-8099.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.