CVE-2024-5565
published 2024-05-31CVE-2024-5565: The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run…
PriorityP262high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
14.96%
96.3th percentile
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vanna-ai | vanna | 0 – 0.5.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-5565 is cited as a documented real-world prompt injection vulnerability; treat any external/untrusted input passed to Vanna's ask() as a potential injection vector. ↗
- ·The attack is a prompt injection — the malicious payload is delivered via natural language input to the LLM, not a traditional code injection path, meaning standard input validation and WAF rules are insufficient on their own. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vanna prompt injection code execution
osv·2024-05-31
CVE-2024-5565 [CRITICAL] Vanna prompt injection code execution
Vanna prompt injection code execution
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.
GHSA
Vanna prompt injection code execution
ghsa·2024-05-31
CVE-2024-5565 [CRITICAL] CWE-77 Vanna prompt injection code execution
Vanna prompt injection code execution
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.
No detection rules found.
No public exploits indexed.
arXiv
Prompt Injection 2.0: Hybrid AI Threats
arxiv_fulltext·2025-07-17
Prompt Injection 2.0: Hybrid AI Threats
Abstract
## Abstract
Prompt injection attacks, where malicious input is designed to manipulate AI systems into ignoring their original instructions and following unauthorized commands instead, were first discovered by Preamble, Inc. in May 2022 and responsibly disclosed to OpenAI. Over the last three years, these attacks have remained a critical security threat for LLM-integrated systems. The emergence of agentic AI systems, where LLMs autonomously perform multistep tasks through tools and coordination with other agents, has fundamentally transformed the threat landscape. Modern prompt injection attacks can now combine with traditional cybersecurity exploits to create hybrid threats that systematically evade traditional security controls, but also, like in the case of academic peer revie
arXiv
Design Patterns for Securing LLM Agents against Prompt Injections
arxiv_fulltext·2025-06-27
Design Patterns for Securing LLM Agents against Prompt Injections
## Abstract
As AI agents powered by Large Language Models (LLMs) become increasingly versatile and capable of addressing a broad spectrum of tasks, ensuring their security has become a critical challenge. Among the most pressing threats are prompt injection attacks, which exploit the agent's resilience on natural language inputs — an especially dangerous threat when agents are granted tool access or handle sensitive information. In this work, we propose a set of principled design patterns for building AI agents with provable resistance to prompt injection. We systematically analyze these patterns, discuss their trade-offs in terms of utility and security, and illustrate their real-world applicability through a series of case studies.
## Introduction
Large Language Models (LLMs) are beco
CWE
Improper Neutralization of Input Used for LLM Prompting
mitre_cwe
CWE-1427 Improper Neutralization of Input Used for LLM Prompting
CWE-1427: Improper Neutralization of Input Used for LLM Prompting
The product uses externally-provided data to build prompts provided to
large language models (LLMs), but the way these prompts are constructed
causes the LLM to fail to distinguish between user-supplied inputs and
developer provided system directives.
When prompts are constructed using externally controllable data, it is
often possible to cause an LLM to ignore the original guidance provided by
its creators (known as the "system prompt") by inserting malicious
instructions in plain human language or using bypasses such as special
characters or tags. Because LLMs are designed to treat all instructions as
legitimate, there is often no way for the model to differentiate between
what prompt language is malicious when it perfor
CWE
Improper Control of Generation of Code ('Code Injection')
mitre_cwe
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism. In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control. Impact: Gain Privileges or Assume Identity. Injected code can access resources that the attacker is directly prevented from ac
2024-05-31
Published