PT-2024-29576 · Unknown · Llama Index
Published
2024-05-16
·
Updated
2025-10-21
·
CVE-2024-4181
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
llama index library version 0.9.47
Description
A command injection issue exists due to the improper use of the
eval function in the RunGptLLM class, allowing a malicious LLM hosting provider to execute arbitrary commands on the client's machine. This could lead to a hosting provider gaining full control over client machines.Recommendations
For version 0.9.47, update to version 0.10.13 to resolve the issue. As a temporary workaround, consider restricting access to the
eval function in the RunGptLLM class until the update is applied.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Llama Index