Hiddenlayer

Products Impacted

This vulnerability is present in MindsDB versions v23.10.3.0 up to v24.7.4.1.

CVSS Score: 8.8

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE Categorization

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Details

To exploit this, an attacker must be authenticated to a MindsDB instance that has the Weaviate integration installed. The vulnerability can be exploited if an embedding vector filter is present because the argument for the embeddings column in a ‘SELECT WHERE’ clause is passed to an eval statement in the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file (shown below – edited to only include the relevant sections).

def select(
        self,
        table_name: str,
        columns: List[str] = None,
        conditions: List[FilterCondition] = None,
        offset: int = None,
        limit: int = None,
    ) -> HandlerResponse:

...

        # check if embedding vector filter is present
        vector_filter = (
            None
            if not conditions
            else [
                condition
                for condition in conditions
                if condition.column == TableField.SEARCH_VECTOR.value
                or condition.column == TableField.EMBEDDINGS.value
            ]
        )

...

        if vector_filter:
            # similarity search
            # assuming the similarity search is on content
            # assuming there would be only one vector based search per query
            vector_filter = vector_filter[0]
            near_vector = {
                "vector": eval(vector_filter.value)
                if isinstance(vector_filter.value, str)
                else vector_filter.value
            }
            query = query.with_near_vector(near_vector)

The eval function appears to be used for parsing valid Python data types from arbitrary user input but has the side effect of enabling arbitrary code execution because Python code can be passed to it via the method explained above.

Related SAI Security Advisory

CVE-2025-62354

November 26, 2025

Allowlist Bypass in Run Terminal Tool Allows Arbitrary Code Execution During Autorun Mode

Cursor

When in autorun mode with the secure ‘Follow Allowlist’ setting, Cursor checks commands sent to run in the terminal by the agent to see if a command has been specifically allowed. The function that checks the command has a bypass to its logic, allowing an attacker to craft a command that will execute non-whitelisted commands.

November 2025

SAI-ADV-2025-012

October 17, 2025

Data Exfiltration from Tool-Assisted Setup

Windsurf

Windsurf’s automated tools can execute instructions contained within project files without asking for user permission. This means an attacker can hide instructions within a project file to read and extract sensitive data from project files (such as a .env file) and insert it into web requests for the purposes of exfiltration.

October 2025

The Most Comprehensive AI Security Platform

Innovation Hub

Insights

Guides

Research

Reports

Webinars

Podcasts

Security Advisory

Glossary

Go to Market

Technology alliance

AWS

Databricks

Research

About us

Newsroom

Careers