CVE-2024-11958: SQL Injection in run-llama/llama_index
First published: Thu Mar 20 2025(Updated: )
A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| LlamaIndex |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-11958?
CVE-2024-11958 is classified as a high severity SQL injection vulnerability.
How do I fix CVE-2024-11958?
To fix CVE-2024-11958, update the `duckdb_retriever` component to use prepared statements for database queries.
What component is affected by CVE-2024-11958?
CVE-2024-11958 affects the `duckdb_retriever` component in the run-llama/llama_index repository.
What type of attack can CVE-2024-11958 facilitate?
CVE-2024-11958 can facilitate SQL injection attacks, allowing attackers to manipulate database queries.
In which version of the product is CVE-2024-11958 found?
CVE-2024-11958 is found in the latest version of the run-llama/llama_index repository.
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/source
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/run-llama
- canonical/llamaindex