Command Injection in LLama-Index CLI in run-llama/llama_index
Description
LLama-Index CLI v0.12.20 has an OS command injection in the --files argument, allowing arbitrary command execution via os.system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LLama-Index CLI v0.12.20 has an OS command injection in the --files argument, allowing arbitrary command execution via os.system.
Vulnerability
LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability in the handling of the --files argument. The argument is directly passed to os.system without sanitization, allowing an attacker to inject arbitrary shell commands [1].
Exploitation
An attacker can exploit this locally by controlling the CLI arguments. Remotely, if a web application calls the LLama-Index CLI with a user-controlled filename, the attacker can inject commands. The injection occurs because the --files value is concatenated into a shell command string without escaping [3].
Impact
Successful exploitation leads to arbitrary code execution on the affected system, potentially compromising confidentiality, integrity, and availability [1].
Mitigation
The vulnerability has been patched in a commit that uses shlex.quote() to escape the path before passing it to os.system [3]. Users should update to a patched version (e.g., v0.4.1 of the CLI package) [3]. The issue was reported via a bug bounty program [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llama-index-cliPyPI | < 0.4.1 | 0.4.1 |
Affected products
2- Range: unspecified
Patches
1b57e76738c53fix: escape user input before shelling out command (#17953)
2 files changed · +8 −6
llama-index-cli/llama_index/cli/rag/base.py+6 −4 modified@@ -1,5 +1,6 @@ import asyncio import os +import shlex import shutil from argparse import ArgumentParser from glob import iglob @@ -14,8 +15,8 @@ from llama_index.core.base.embeddings.base import BaseEmbedding from llama_index.core.base.response.schema import ( RESPONSE_TYPE, - StreamingResponse, Response, + StreamingResponse, ) from llama_index.core.bridge.pydantic import BaseModel, Field, field_validator from llama_index.core.chat_engine import CondenseQuestionChatEngine @@ -159,7 +160,7 @@ def chat_engine_from_query_pipeline( if chat_engine is not None: return chat_engine - if values.get("query_pipeline", None) is None: + if values.get("query_pipeline") is None: values["query_pipeline"] = cls.query_pipeline_from_ingestion_pipeline( query_pipeline=None, values=values ) @@ -231,7 +232,8 @@ async def handle_cli( # Append the `--files` argument to the history file with open(f"{self.persist_dir}/{RAG_HISTORY_FILE_NAME}", "a") as f: - f.write(str(files) + "\n") + for file in files: + f.write(str(file) + "\n") if create_llama: if shutil.which("npx") is None: @@ -289,7 +291,7 @@ async def handle_cli( "none", "--engine", "context", - f"--files {path}", + f"--files {shlex.quote(path)}", ] os.system(" ".join(command_args))
llama-index-cli/pyproject.toml+2 −2 modified@@ -14,7 +14,7 @@ disallow_untyped_defs = true # Remove venv skip when integrated with pre-commit exclude = ["_static", "build", "examples", "notebooks", "venv"] ignore_missing_imports = true -python_version = "3.8" +python_version = "3.9" [tool.poetry] authors = ["llamaindex"] @@ -32,7 +32,7 @@ maintainers = [ name = "llama-index-cli" packages = [{include = "llama_index/"}] readme = "README.md" -version = "0.4.0" +version = "0.4.1" [tool.poetry.dependencies] python = ">=3.9,<4.0"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.