GHSA-339r-cjv9-x78g

Source

https://github.com/advisories/GHSA-339r-cjv9-x78g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-339r-cjv9-x78g/GHSA-339r-cjv9-x78g.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-339r-cjv9-x78g

Aliases

CVE-2024-11958

Published

2025-03-20T12:32:42Z

Modified

2025-05-28T16:43:07.751362Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

LlamaIndex Retrievers Integration: DuckDBRetriever SQL Injection

Details

A SQL injection vulnerability exists in the duckdb_retriever component of the run-llama/llama_index repository, specifically in llama-index-retrievers-duckdb-retriever prior to v0.4.0. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands.

Database specific

{
    "cwe_ids": [
        "CWE-89"
    ],
    "nvd_published_at": "2025-03-20T10:15:26Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T16:09:36Z",
    "severity": "CRITICAL"
}

References

Affected packages

PyPI / llama-index-retrievers-duckdb-retriever

Package

Name: llama-index-retrievers-duckdb-retriever; View open source insights on deps.dev
Purl: pkg:pypi/llama-index-retrievers-duckdb-retriever

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0

Affected versions

0.*

0.1.4

0.2.0

0.3.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-339r-cjv9-x78g/GHSA-339r-cjv9-x78g.json"