SQL injection in llama-index

GHSA-2jxw-4hm4-6w87 · CVE-2024-23751 · PYSEC-2024-12

Published Jan 22, 2024 · Modified Feb 16, 2024

Description

LlamaIndex (aka llama_index) through 0.9.35 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-23751
WEB https://github.com/run-llama/llama_index/issues/9957
WEB https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml
PACKAGE https://github.com/run-llama/llama_index

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes