CVE-2025-1793: SQL Injection in run-llama/llama_index

9.8 CVSS

Description

Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.

Classification

CVE ID: CVE-2025-1793

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command

Affected Products

Vendor: run-llama

Product: run-llama/llama_index

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.34% (scored less or equal to compared to others)

EPSS Date: 2025-06-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1793
https://huntr.com/bounties/8cb1555a-9655-4122-b0d6-60059e79183c
https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e

Timeline

2025-06-05 05:40:11 UTC
CVE

SQL Injection in run-llama/llama_index