Critical severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025
SQL Injection to RCE in run-llama/llama_index
CVE-2024-12909
Description
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the run_sql_query function of the database_agent. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llama-index-packs-finchatPyPI | <= 0.3.0 | — |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-x48g-hm9c-ww42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-12909ghsaADVISORY
- github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75ghsaWEB
- github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchatghsaWEB
- huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3fghsaWEB
News mentions
0No linked articles in our index yet.