CVE-2024-23751

Name of the Vulnerable Software and Affected Versions LlamaIndex (aka llama index) versions 0.9.34 and earlier

Description The issue allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

Recommendations For versions 0.9.34 and earlier, consider disabling the Text-to-SQL feature in the affected engines until a patch is available. Restrict access to the NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine to minimize the risk of exploitation. Avoid using the Text-to-SQL feature with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.