Critical severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025
SQL Injection in run-llama/llama_index
CVE-2024-11958
Description
A SQL injection vulnerability exists in the duckdb_retriever component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llama-index-retrievers-duckdb-retrieverPyPI | < 0.4.0 | 0.4.0 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.