CVE-2025-1750: SQL Injection in run-llama/llama_index

9.8 CVSS

Description

An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE).

Classification

CVE ID: CVE-2025-1750

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command

Affected Products

Vendor: run-llama

Product: run-llama/llama_index

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.26% (probability of being exploited)

EPSS Percentile: 49.74% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1750
https://huntr.com/bounties/e1302233-9180-4269-9047-1526247d2cd8
https://github.com/run-llama/llama_index/commit/369a2942df2efcf6b74461c45d20a0af1fbe4ae2

Timeline

2025-06-02 11:40:11 UTC
CVE

SQL Injection in run-llama/llama_index