Skip to main content

Llamaindex CVE-2024-45201

HIGH
Code Injection (CWE-94)
2024-08-22 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 22, 2024 - 20:15 cve.org
HIGH 8.8

DescriptionCVE.org

An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.

AnalysisAI

An issue was discovered in llama_index before 0.10.38. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}. Affected products include: Llamaindex. Version information: before 0.10.38..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

CVE-2024-11958 CRITICAL POC
9.8 Mar 20

A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specif

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

CVE-2025-1750 CRITICAL POC
9.8 Jun 02

SQL injection in llama_index DuckDB vector store v0.12.19. PoC and patch available.

CVE-2025-1793 CRITICAL POC
9.8 Jun 05

Critical SQL injection vulnerability affecting run-llama/llama_index v0.12.21 and potentially other versions, present in

CVE-2024-3271 CRITICAL POC
9.8 Apr 16

A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval func

CVE-2024-23751 CRITICAL POC
9.8 Jan 22

LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, S

CVE-2023-39662 CRITICAL POC
9.8 Aug 15

An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter

CVE-2024-4181 HIGH POC
8.8 May 16

A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the

CVE-2024-58339 HIGH POC
8.7 Jan 12

Denial-of-service in LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 lets remote unauthenticated

CVE-2024-14021 HIGH POC
8.4 Jan 12

Arbitrary code execution in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 occurs when BGEM3Inde

CVE-2025-3108 HIGH POC
7.5 Jul 06

A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, a

CVE-2025-1752 HIGH POC
7.5 May 10

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_i

Share

CVE-2024-45201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy