SQL Injection Vulnerability in FinanceChatLlamaPack by Run-Llama
CVE-2024-12909

9.8CRITICAL

Key Information:

Vendor

Run-llama

Status
Run-llama/llama Index
Vendor
CVE Published:
20 March 2025

What is CVE-2024-12909?

A vulnerability exists in the FinanceChatLlamaPack of the run-llama repository which enables attackers to exploit the run_sql_query function within the database_agent. By using this SQL injection flaw, an attacker can execute arbitrary SQL queries. This can potentially allow unauthorized access to sensitive data or lead to remote code execution through PostgreSQL's large object feature. Users are encouraged to upgrade to version 0.3.0 or later to mitigate this risk.

Affected Version(s)

run-llama/llama_index < 0.3.0

References

https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e...
https://github.com/run-llama/llama_index/commit/5d03c1754...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-12909 : SQL Injection Vulnerability in FinanceChatLlamaPack by Run-Llama