Onyx
CVE-2025-7894
LOW
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
A vulnerability, which was classified as critical, has been found in Onyx up to 0.29.1. This issue affects the function generate_simple_sql of the file backend/onyx/agents/agent_search/kb_search/nodes/a3_generate_simple_sql.py of the component Chat Interface. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Onyx Chat Interface allows authenticated remote attackers to manipulate database queries via the generate_simple_sql function in the KB search component. Versions up to 0.29.1 are affected. While the CVSS score is low (2.1) due to limited impact scope and authentication requirement, public exploit code exists and the vendor has not responded to early disclosure, increasing real-world risk for users who cannot rapidly patch.
Technical ContextAI
The vulnerability resides in the generate_simple_sql function within backend/onyx/agents/agent_search/kb_search/nodes/a3_generate_simple_sql.py, part of Onyx's Chat Interface component. Classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), this represents inadequate input validation or output encoding when constructing SQL queries. The function appears to accept user-controlled input that is incorporated directly into SQL statements without proper sanitization or parameterized query handling. Onyx is an open-source knowledge base and agent orchestration platform that integrates conversational AI with search capabilities, making the Chat Interface a critical attack surface where user queries directly influence backend data operations.
RemediationAI
No vendor-released patch identified at time of analysis, as the vendor has not responded to early disclosure notification. Immediate remediation options are limited: upgrade to a version beyond 0.29.1 if released by the maintainers (verify release notes at https://github.com/OnyxProject or project repository), or implement input validation and output encoding mitigations at the application layer. Compensating controls include restricting Chat Interface access to trusted internal users only via network segmentation or authentication gateway (reduces attack surface from remote to internal-only, accepting reduced functionality), disabling the KB search feature if not essential to operations (eliminates attack vector entirely at cost of feature loss), and implementing database query result monitoring to detect anomalous SQL patterns (does not prevent exploitation but enables rapid incident response). Database-level mitigation: configure database accounts used by Onyx with minimal required privileges (read-only where feasible, no DDL permissions) to limit damage from successful injection, though this does not prevent data exfiltration. Recommend contacting Onyx maintainers directly to request patch priority given non-response to initial disclosure.
Share
External POC / Exploit Code
Leaving vuln.today