CVE-2024-12909 CRITICAL

CVE-2024-12909: SQL Injection to RCE in run-llama/llama_index

Vendor Run-Llama
Product run-llama/llama_index
Weakness CWE-89 · SQLi
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-6862 SourceCodester Best Salon Management System edit_plan.php sql injection CVE-2023-4846 SourceCodester Simple Membership System delete_member.php sql injection CVE-2025-69310 WordPress Woodly Core plugin <= 1.4 - SQL Injection vulnerability CVE-2025-3173 Project Worlds Online Lawyer Management System save_booking.php sql injection CVE-2025-6184 Tutor LMS Pro – eLearning and online course solution <= 3.7.0 - Authenticated (Tutor Instructor+) SQL Injection