CVE-2024-11958: SQL Injection in run-llama/llama_index

9.8 CVSS

Description

A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.

Classification

CVE ID: CVE-2024-11958

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command

Affected Products

Vendor: run-llama

Product: run-llama/llama_index

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.19% (probability of being exploited)

EPSS Percentile: 42.06% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-11958
https://huntr.com/bounties/8ddf66e1-f74c-4d53-992b-76bc45cacac1
https://github.com/run-llama/llama_index/commit/35bd221e948e40458052d30c6ef2779bc965b6d0

Timeline

2025-03-20 11:40:23 UTC
CVE

SQL Injection in run-llama/llama_index