CVE-2024-11958 – llama-index-retrievers-duckdb-retriever

Package

Manager: pip
Name: llama-index-retrievers-duckdb-retriever
Vulnerable Version: >=0 <0.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00531 pctl0.66351

Details

LlamaIndex Retrievers Integration: DuckDBRetriever SQL Injection A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specifically in llama-index-retrievers-duckdb-retriever prior to v0.4.0. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.

Metadata

Created: 2025-03-20T12:32:42Z
Modified: 2025-05-28T16:09:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-339r-cjv9-x78g/GHSA-339r-cjv9-x78g.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-339r-cjv9-x78g
Finding: F297
Auto approve: 1