VYPR
Critical severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

SQL Injection to RCE in run-llama/llama_index

CVE-2024-12909

Description

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the run_sql_query function of the database_agent. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
llama-index-packs-finchatPyPI
<= 0.3.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.