CVE-2024-58339

High CVSS: 8.7

LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().

Vendor

Llamaindex

Product

Llamaindex

CWE

CWE-770

Yayın Tarihi

2026-01-12 23:15:51

Güncelleme

2026-01-21 18:30:26

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-770 Llamaindex HIGH Llamaindex 2026

Referanslar

https://github.com/run-llama/llama_index https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f https://www.llamaindex.ai/ https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion

Benzer Kayıtlar

High

CVE-2024-14021

LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability i…

High

CVE-2025-7707

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which…

Medium

CVE-2025-6211

A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the…

High

CVE-2025-6209

A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the…

Medium

CVE-2025-6210

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, al…

Medium

CVE-2025-5472

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive…