ByteOS Network

NVD Vulnerability Details :

CVE-2024-12909

Analyzed

Source-security@huntr.dev

Published At-20 Mar, 2025 | 10:15

Updated At-30 Jul, 2025 | 01:00

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary	3.0	10.0	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.0

Base score: 10.0

Base severity: CRITICAL

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CPE Matches

llamaindex>>llamaindex>>Versions before 0.3.0(exclusive)

cpe:2.3:a:llamaindex:llamaindex:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-89	Primary	security@huntr.dev

CWE ID: CWE-89

Type: Primary

Source: security@huntr.dev

References

Hyperlink	Source	Resource
https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75	security@huntr.dev	Patch
https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f	security@huntr.dev	Exploit Third Party Advisory

Hyperlink: https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75

Source: security@huntr.dev

Resource:

Patch

Hyperlink: https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f

Source: security@huntr.dev

Resource:

Exploit

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History