CVE-2024-8099 Overview
CVE-2024-8099 is a Server-Side Request Forgery (SSRF) vulnerability affecting the latest version of vanna-ai/vanna when configured with DuckDB as the backing database. Attackers submit crafted SQL queries that abuse DuckDB's built-in functions such as read_csv, read_csv_auto, read_text, and read_blob to issue outbound HTTP requests from the server. The flaw maps to CWE-918: Server-Side Request Forgery and requires no authentication to exploit.
Critical Impact
Unauthenticated attackers can force the vanna server to fetch arbitrary internal or external URLs, exposing internal services, cloud metadata endpoints, and sensitive files.
Affected Products
- vanna-ai/vanna (latest version at time of disclosure)
- Deployments configured with DuckDB as the query backend
- Any downstream application embedding vanna with DuckDB connectivity
Discovery Timeline
- 2025-03-20 - CVE-2024-8099 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-8099
Vulnerability Analysis
The vanna-ai/vanna project translates natural language prompts into SQL and executes the generated statements against a configured database. When DuckDB is the backend, generated or attacker-influenced SQL can invoke DuckDB table functions that transparently accept HTTP and HTTPS URLs as data sources. Functions such as read_csv('https://attacker.tld/x.csv'), read_csv_auto, read_text, and read_blob cause DuckDB to perform outbound network requests from the server process.
The attack requires no privileges and no user interaction, and the impact crosses a trust boundary because the vanna server issues requests on behalf of the attacker. See the Huntr Vulnerability Report for the original disclosure.
Root Cause
DuckDB exposes remote file-reading functions by default and treats URLs as first-class data sources. vanna does not sanitize or restrict URL arguments passed to these functions before executing SQL, and it does not enforce a network egress allowlist on the DuckDB process. Any SQL statement reaching DuckDB, whether authored by a user, generated by the LLM, or injected through prompt manipulation, can trigger arbitrary outbound requests.
Attack Vector
An attacker submits a prompt or SQL fragment that reaches DuckDB containing a call such as SELECT * FROM read_csv_auto('http://169.254.169.254/latest/meta-data/'). DuckDB resolves the URL and returns response contents into the query result, which the application then relays or logs. Attackers can enumerate internal services on 127.0.0.1, target cloud instance metadata endpoints, read local files via file:// handlers where supported, and exfiltrate data through crafted URLs.
No verified public exploit code is available. The vulnerability mechanism is described in prose based on the Huntr Vulnerability Report.
Detection Methods for CVE-2024-8099
Indicators of Compromise
- Outbound HTTP or HTTPS connections from the vanna or DuckDB process to unexpected destinations, especially cloud metadata IPs such as 169.254.169.254.
- SQL query logs containing calls to read_csv, read_csv_auto, read_text, or read_blob with URL arguments supplied by end users.
- DNS lookups from application servers to attacker-controlled domains that correlate with user-submitted prompts.
Detection Strategies
- Enable SQL query logging on the DuckDB backend and alert on any statement referencing DuckDB remote-read functions with http://, https://, s3://, or file:// schemes.
- Inspect application logs for LLM-generated SQL that contains URL literals passed to table functions.
- Baseline egress traffic from the vanna host and alert on new outbound destinations, particularly link-local and RFC1918 ranges.
Monitoring Recommendations
- Forward web server, application, and DuckDB query logs to a centralized SIEM and correlate prompt inputs with subsequent outbound network events.
- Monitor cloud audit logs for unexpected access to instance metadata service (IMDS) endpoints from application hosts.
- Track EDR telemetry for the vanna process establishing sockets to non-database destinations.
How to Mitigate CVE-2024-8099
Immediate Actions Required
- Restrict outbound network access from the vanna and DuckDB host to only the destinations required for legitimate operation.
- Block DNS resolution and routing to cloud metadata endpoints such as 169.254.169.254 from application subnets.
- Enforce input validation and SQL allowlisting so user-supplied prompts cannot inject calls to read_csv, read_csv_auto, read_text, or read_blob.
Patch Information
No vendor-supplied fix is referenced in the NVD entry at the time of publication. Monitor the vanna-ai/vanna repository and the Huntr Vulnerability Report for remediation guidance and upgrade instructions.
Workarounds
- Switch to a database backend that does not expose remote-read functions, or run DuckDB in a sandbox that denies outbound network access.
- Configure a strict SQL parser or query rewriter in front of DuckDB that rejects statements referencing URL-accepting table functions.
- Run the vanna service under a dedicated network policy or container with egress limited to explicitly required hosts.
# Example egress restriction using iptables to block AWS IMDS from the vanna host
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner vanna -j REJECT
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner vanna -j REJECT
# Allow only required destinations
iptables -I OUTPUT -p tcp -d <db-host-ip> --dport 5432 -m owner --uid-owner vanna -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

