Eval on query parameters allows arbitrary code execution in Vector Database integrations

Products Impacted

This vulnerability is present in MindsDB versions v23.11.4.2 up to v24.7.4.1.

CVSS Score: 8.8

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE Categorization

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Details

To exploit this, an attacker must be authenticated to a MindsDB instance that has any of these affected integrations installed:

• PgVector
• Milvus
• LanceDB
• Xata
• Qdrant
• Pinecone
• ChromaDB
• WeaviateDB

The vulnerability exists because the argument for the embeddings column in an ‘UPDATE’ statement is passed into an eval statement in the _dispatch_update function of the mindsdb/integrations/libs/vectordatabase_handler.py file (shown below – edited to only include the relevant sections).

def _dispatch_update(self, query: Update):
        """
        Dispatch update query to the appropriate method.
        """
        table_name = query.table.parts[-1]
        row = {}
        for k, v in query.update_columns.items():
            k = k.lower()
            if isinstance(v, Constant):
                v = v.value
            if k == TableField.EMBEDDINGS.value and isinstance(v, str):
                # it could be embeddings in string
                try:
                    v = eval(v)
                except Exception:
                    pass
...

This function is part of the VectorStoreHandler class, which all of the vulnerable integrations inherit from. The eval function appears to be used for parsing valid Python data types from arbitrary user input, but has the side effect of enabling arbitrary code execution because Python code can be passed to it via the method explained above.