CVE-2024-58339

Name of the Vulnerable Software and Affected Versions LlamaIndex versions up to and including 0.12.2

Description LlamaIndex versions up to and including 0.12.2 have an issue where resource consumption is not properly controlled in the VannaPack VannaQueryEngine implementation. The custom query() logic constructs SQL statements from user input and executes them using vn.run sql() without limiting query execution. This allows an attacker, in deployments where untrusted users can provide prompts, to trigger resource-intensive or unbounded SQL operations, potentially leading to a denial-of-service condition by exhausting CPU or memory. The vulnerable code is located in llama index/packs/vanna/base.py within the custom query() function.

Recommendations Versions prior to and including 0.12.2 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.