CVE-2024-11958

Name of the Vulnerable Software and Affected Versions run-llama/llama index versions prior to v0.4.0

Description A SQL injection vulnerability exists in the duckdb retriever component. The issue stems from constructing SQL queries without utilizing prepared statements, which allows for the injection of arbitrary SQL code. Successful exploitation can lead to remote code execution (RCE) through the installation of the shellfs extension and subsequent execution of malicious commands.

Recommendations Update to version 0.4.0 or later to resolve this issue.