VYPR
Critical severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

SQL Injection in run-llama/llama_index

CVE-2024-11958

Description

A SQL injection vulnerability exists in the duckdb_retriever component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
llama-index-retrievers-duckdb-retrieverPyPI
< 0.4.00.4.0

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.