CRITICAL🇵🇱 Wersja polska

CVE-2025-1793

CVSS 9.8v3.0pub. 2025-06-05upd. 2025-07-30

Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.

🤖 AI Analysis
How it works

The vulnerability results from the lack of proper sanitization of input data passed to SQL queries in LlamaIndex library vector store integrations. An attacker can inject malicious SQL code into parameters processed by the library, resulting in the execution of unintended database operations. The attack vector is network-based, does not require authentication or user interaction, and its exploitation is relatively simple (low attack complexity).

Impact

An attacker can gain unauthorized access to data of other users of a web application using the LlamaIndex library, as well as modify stored data — leading to violations of data confidentiality and integrity.

Mitigation & patch

Patches available from the vendor should be applied according to the references. The fix was introduced in commit 0008041e8dde8e519621388e5d6f558bde6ef42e available in the GitHub repository of the run-llama/llama_index project.

Who is affected

LlamaIndex (run-llama/llama_index) version v0.12.21 — affects web applications using vector store integrations of this library.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Llamaindex

    APP
    Llamaindex
    0.12.21 – 0.12.28 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-1750CRITICAL9.8PL ✓ten sam produkt

SQL Injection w DuckDBVectorStore umożliwiający RCE (LlamaIndex)

CVE-2024-12909CRITICAL9.8PL ✓ten sam produkt

SQL Injection i RCE w FinanceChatLlamaPack biblioteki LlamaIndex

CVE-2024-11958CRITICAL9.8PL ✓ten sam produkt

SQL Injection umożliwiający RCE w komponencie duckdb_retriever biblioteki LlamaIndex

CVE-2024-3271CRITICAL9.8PL ✓ten sam produkt

Command injection w LlamaIndex — obejście safe_eval umożliwia RCE

CVE-2024-23751CRITICAL9.8PL ✓ten sam produkt

SQL injection w LlamaIndex przez funkcję Text-to-SQL