CVE-2024-11958

A SQL injection vulnerability exists in the duckdb_retriever component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.

Published: Mar 20, 2025
Updated: Aug 11, 2025
CVE: CVE-2024-11958
GHSA: GHSA-339r-cjv9-x78g
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
llama-index-retrievers-duckdb-retriever	-	0.4.0
llamaindex / llamaindex	-	0.4.0

https://github.com/run-llama/llama_index/commit/35bd221e948e40458052d30c6ef2779bc965b6d0
https://huntr.com/bounties/8ddf66e1-f74c-4d53-992b-76bc45cacac1

Vulnerability Database

CVE-2024-11958