PT-2025-12156 · Postgresql+1 · Postgresql+1
Published
2025-03-20
·
Updated
2025-07-30
·
CVE-2024-12909
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
llama-index-packs-finchat versions up to v0.3.0
run-llama/llama index versions up to v0.12.3
Description
A vulnerability exists in the FinanceChatLlamaPack component, allowing for SQL injection in the
run sql query function within the database agent. An attacker can exploit this issue to inject arbitrary SQL queries, potentially leading to remote code execution (RCE) by leveraging PostgreSQL's large object functionality.Recommendations
llama-index-packs-finchat versions up to v0.3.0: The package is no longer officially supported and has been moved to the
stale packages branch, effectively removing it from documentation.
run-llama/llama index versions up to v0.12.3: Update to version 0.3.0 or later to resolve the issue.Exploit
Fix
RCE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Postgresql
Run-Llama/Llama Index