High severityNVD Advisory· Published May 16, 2024· Updated Aug 1, 2024
Command Injection in run-llama/llama_index
CVE-2024-4181
Description
A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llama-indexPyPI | < 0.10.13 | 0.10.13 |
llama-index-llms-rungptPyPI | < 0.1.3 | 0.1.3 |
Affected products
3- ghsa-coords2 versions
< 0.10.13+ 1 more
- (no CPE)range: < 0.10.13
- (no CPE)range: < 0.1.3
- Range: unspecified
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.