Command Injection Vulnerability in run-llama/llama_index Repository
CVE-2024-3271

9.8CRITICAL

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 16 April 2024

What is CVE-2024-3271?

A command injection vulnerability exists in the Llama_Index repository developed by Run Llama. The flaw is located within the safe_eval function, where attackers exploit the mechanism designed to validate code generated by large language models (LLMs). By providing specially crafted input that lacks underscores, attackers can bypass intended security checks, enabling the execution of arbitrary operating system commands. This vulnerability poses a serious risk of remote code execution on environments where the application is deployed, potentially compromising the integrity and security of the hosting server.

Affected Version(s)

run-llama/llama_index < 10.26

References

https://huntr.com/bounties/9b32490e-7cf9-470e-8d49-ba083a...

https://github.com/run-llama/llama_index/commit/5fbcb5a8b...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2024
Vulnerability Reserved
Apr 3, 2024

Run-llama

What is CVE-2024-3271?

Affected Version(s)

References

CVSS V3.1

Timeline