PYSEC-2024-324

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/llama-index/PYSEC-2024-324.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2024-324
Aliases
Published
2024-05-16T09:15:15.553Z
Modified
2026-07-13T07:26:21.243502373Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.

References

Affected packages

PyPI / llama-index

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.9.47
Fixed
0.10.13

Affected versions

0.*
0.9.47
0.9.48
0.10.0
0.10.1
0.10.3
0.10.4
0.10.5a1
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
0.10.10
0.10.11
0.10.12

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/llama-index/PYSEC-2024-324.yaml"