CVE-2024-11958

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-11958

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11958.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-11958

Aliases

GHSA-339r-cjv9-x78g

Published

2025-03-20T10:15:26.030Z

Modified

2026-02-14T07:55:22.039214Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A SQL injection vulnerability exists in the duckdb_retriever component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.

References

Affected packages

Git / github.com/run-llama/llama_index

Affected ranges

Type: GIT
Repo: https://github.com/run-llama/llama_index
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

aa0092a14420a75e2e4251a2bd8aa1d5f9c28e29

Affected versions

v0.*

v0.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11958.json"