CVE-2025-1793 – llama-index

Package

Manager: pip
Name: llama-index
Vulnerable Version: >=0 <0.12.28

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00021 pctl0.03819

Details

llama_index vulnerable to SQL Injection Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.

Metadata

Created: 2025-06-05T06:30:26Z
Modified: 2025-06-06T17:24:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v3c8-3pr6-gr7p/GHSA-v3c8-3pr6-gr7p.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-v3c8-3pr6-gr7p
Finding: F106
Auto approve: 1