Summary
The Vanna.AI text-to-SQL library exposes an ask() method that, with visualization enabled by default, pipes LLM output through a chain of SQL to Python code to a Plotly visualization rendered with exec(). An attacker supplying crafted natural-language input can use prompt injection to override the intended Plotly code and have arbitrary Python executed on the host, yielding remote code execution. The flaw, discovered by JFrog, affects versions up to and including 0.5.5 and is fixed in 0.5.6 or by disabling visualization for external input.
How to avoid it in your code
- Upgrade vanna to 0.5.6 or later, or disable visualization for any external input.
- Never pass LLM output to exec()/eval(); generate plots without dynamic code execution.
- Treat natural-language input as untrusted data, not code, to the ask() pipeline.
- Sandbox any code execution with least privilege and no network egress.
- Validate/whitelist generated SQL and plot code before running.
References
Related vulnerabilities
All AI/LLM →- CRITICALAI-COPILOT-CAMOLEAK-2025
Legit Security disclosed CamoLeak (CVSS 9.6), a critical vulnerability in GitHub Copilot Chat enabling silent exfiltration of private source code and secrets. The attack combined remote prompt injection via hidden pull-request comments with a CSP bypass that abused GitHub's own Camo image proxy: injected instructions made Copilot extract sensitive repo context, encode it character-by-character into a pre-generated dictionary of Camo image URLs, and leak it through image requests to an attacker server. GitHub mitigated it by disabling image rendering in Copilot Chat in August 2025.
- HIGHAI-SHADOWLEAK-2025
ShadowLeak is a server-side zero-click indirect prompt-injection attack against ChatGPT's Deep Research agent, discovered by Radware. An attacker emails the victim a message with instructions hidden in the HTML using white-on-white text and tiny fonts; when the user runs Deep Research over their inbox, the agent autonomously follows the hidden instructions and exfiltrates personal and inbox data. The distinguishing trait is that exfiltration occurs entirely server-side within OpenAI's cloud infrastructure, making it invisible to local and enterprise network defenses. The Gmail proof of concept generalizes to any Deep Research connector; OpenAI fixed it before public disclosure with no evidence of in-the-wild exploitation.
- HIGHCVE-2025-54135
Aim Labs disclosed CurXecute (CVE-2025-54135, CVSS 8.6), a remote-code-execution flaw in the Cursor AI code editor reachable through prompt injection. Because Cursor runs with developer-level privileges and supports the Model Context Protocol, untrusted external data pulled in by an MCP server (for example a crafted Slack message) can redirect the agent's control flow and rewrite the global mcp.json configuration to execute arbitrary commands. Potential consequences include data exfiltration, ransomware deployment, and dependency-poisoning; it was patched in Cursor 1.3 on July 29, 2025.
- HIGHAI-AMAZON-Q-WIPER-2025
An attacker using the alias 'lkmanka58' submitted a pull request to Amazon's open-source Amazon Q Developer Extension GitHub repository on July 13, 2025; due to inadequate access controls it was merged, and the compromised version 1.84.0 shipped to the VS Code Marketplace on July 17, 2025. The injected payload was a prompt instructing the AI agent to act as a system cleaner and delete local file-system data and wipe AWS cloud resources via the CLI. Amazon stated the malicious code was incorrectly formatted and non-functional, revoked credentials, and released the fixed version 1.85.0 on July 24, 2025.
- MEDIUMAI-GEMINI-WORKSPACE-2025
Marco Figueroa of Mozilla's 0DIN program documented a Gemini for Workspace flaw where an attacker hides instructions inside an email using tags styled with font-size zero or white-on-white text, invisible to the recipient. When the user clicks Summarize this email, Gemini processes the raw HTML and treats the hidden directive as a high-priority instruction, appending an attacker-crafted fake security warning, such as a fake support phone number, that appears to come from Google. No links or attachments are required, enabling credential harvesting and vishing at scale through indirect prompt injection.
- HIGHAI-AGENT-INDIRECT-PROMPT-INJECTION-2025
Coding agents that autonomously read project and external content are vulnerable to indirect prompt injection, where hidden instructions placed in untrusted material the agent ingests hijack its behavior. The injection surface is broad: a poisoned README, source-code comment, GitHub issue or PR comment, a dependency's files, a fetched web page, or an MCP tool description, with instructions often concealed using invisible Unicode characters so a human reviewer never sees them, as Pillar Security demonstrated with the 'Rules File Backdoor' technique. Because the agent cannot distinguish trusted developer instructions from attacker text in the data it processes, the injected commands can direct it to insert a backdoor, weaken security controls, exfiltrate secrets, or run shell/MCP commands. Johann Rehberger (Embrace The Red) proved the data-exfiltration variant in Cursor with CVE-2025-54132 (disclosed June 30, 2025, fixed in v1.3): a comment-embedded payload made Cursor render a Mermaid diagram containing an attacker image URL, auto-firing an outbound request that leaked API keys and agent memory without confirmation. When the developer merges or runs the agent's resulting output unmonitored, the attacker-controlled changes land directly in the codebase or on the developer's machine.