SQL Injection in run-llama/llama_index
Description
A vulnerability in the default_jsonalyzer function of the JSONalyzeQueryEngine in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LlamaIndex's JSONalyzeQueryEngine is vulnerable to SQL injection via prompt injection, allowing arbitrary file creation and DoS; patched in version 0.5.1.
Vulnerability
Overview
The JSONalyzeQueryEngine in the run-llama/llama_index repository contains a SQL injection vulnerability in its default_jsonalyzer function. The engine constructs SQL queries from user-supplied prompts without proper sanitization, allowing an attacker to inject arbitrary SQL commands via crafted prompts. This is a form of prompt injection where the LLM-generated SQL is executed directly against SQLite [1].
Exploitation
An attacker can exploit this by providing a malicious prompt to a service using the JSONalyzeQueryEngine. No prior authentication is required if the engine is exposed through a query interface. The SQL injection allows execution of arbitrary SQL statements against the underlying SQLite database, which can be used to attach external databases and create files on the filesystem [3]. This attack is particularly dangerous because the engine is designed to run LLM-generated queries, making it difficult to filter malicious input without proper safeguards.
Impact
Successful exploitation leads to arbitrary file creation on the server's filesystem and denial-of-service (DoS) attacks. The attacker can write files by leveraging SQLite's ATTACH DATABASE functionality, potentially planting malicious files or causing resource exhaustion. The official fix notes that the engine may lead to arbitrary file creation and should be heavily sandboxed [3]. This vulnerability affects all versions prior to the fix.
Mitigation
The vulnerability is fixed in version 0.5.1 of llama_index. The fix moves the JSONalyzeQueryEngine to an experimental package (llama-index-experimental) and adds a deprecation warning, explicitly cautioning against production use without sandboxing [3]. Users should upgrade to v0.5.1 or later and avoid using this engine in production environments. No workaround is recommended; the component should either be removed or heavily sandboxed in a virtual machine [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llama-indexPyPI | < 0.12.3 | 0.12.3 |
Affected products
3- Range: <=0.5.0
- run-llama/run-llama/llama_indexv5Range: unspecified
Patches
1bf282074e20e[FIX] Move `JSONalyzeQueryEngine` to experimental (#17110)
8 files changed · +57 −2
llama-index-core/llama_index/core/query_engine/__init__.py+1 −1 modified@@ -15,7 +15,7 @@ from llama_index.core.query_engine.graph_query_engine import ( ComposableGraphQueryEngine, ) -from llama_index.core.query_engine.jsonalyze_query_engine import ( +from llama_index.core.query_engine.jsonalyze import ( JSONalyzeQueryEngine, ) from llama_index.core.query_engine.knowledge_graph_query_engine import (
llama-index-core/llama_index/core/query_engine/jsonalyze/BUILD+1 −0 added@@ -0,0 +1 @@ +python_sources()
llama-index-core/llama_index/core/query_engine/jsonalyze/__init__.py+7 −0 added@@ -0,0 +1,7 @@ +"""Init file.""" + +from llama_index.core.query_engine.jsonalyze.jsonalyze_query_engine import ( + JSONalyzeQueryEngine, +) + +__all__ = ["JSONalyzeQueryEngine"]
llama-index-core/llama_index/core/query_engine/jsonalyze/jsonalyze_query_engine.py+28 −0 added@@ -0,0 +1,28 @@ +"""JSONalyze Query Engine. + +WARNING: This tool executes a SQL prompt generated by the LLM with SQL Lite and +may lead to arbitrary file creation on the machine running this tool. +This tool is not recommended to be used in a production setting, and would +require heavy sandboxing or virtual machines. + +DEPRECATED: Use `JSONalyzeQueryEngine` from `llama-index-experimental` instead. + +""" + +from typing import Any + + +class JSONalyzeQueryEngine: + """JSONalyze query engine. + + DEPRECATED: Use `JSONalyzeQueryEngine` from `llama-index-experimental` instead. + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + raise DeprecationWarning( + "JSONalyzeQueryEngine has been moved to `llama-index-experimental`.\n" + "`pip install llama-index-experimental`\n" + "`from llama_index.experimental.query_engine import JSONalyzeQueryEngine`\n" + "Note that the JSONalyzeQueryEngine allows for arbitrary file creation, \n" + "and should be used in a secure environment." + )
llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/BUILD+1 −0 added@@ -0,0 +1 @@ +python_sources()
llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/__init__.py+7 −0 added@@ -0,0 +1,7 @@ +"""Init file.""" + +from llama_index.core.query_engine.jsonalyze.jsonalyze_query_engine import ( + JSONalyzeQueryEngine, +) + +__all__ = ["JSONalyzeQueryEngine"]
llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/jsonalyze_query_engine.py+11 −0 renamed@@ -1,3 +1,14 @@ +"""JSONalyze Query Engine. + +WARNING: This tool executes a SQL prompt generated by the LLM with SQL Lite and +may lead to arbitrary file creation on the machine running this tool. +This tool is not recommended to be used in a production setting, and would +require heavy sandboxing or virtual machines. + +DEPRECATED: Use `JSONalyzeQueryEngine` from `llama-index-experimental` instead. + +""" + import asyncio import json import logging
llama-index-experimental/pyproject.toml+1 −1 modified@@ -25,7 +25,7 @@ exclude = ["**/BUILD"] license = "MIT" name = "llama-index-experimental" readme = "README.md" -version = "0.5.0" +version = "0.5.1" [tool.poetry.dependencies] python = ">=3.10,<4.0"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.