GHSA-x48g-hm9c-ww42
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x48g-hm9c-ww42
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-x48g-hm9c-ww42/GHSA-x48g-hm9c-ww42.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-x48g-hm9c-ww42
- Aliases
- Published
- 2025-03-20T12:32:44Z
- Modified
- 2025-04-03T13:34:11.131126Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- llama-index-packs-finchat SQL Injection vulnerability
- Details
-
A vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the
run_sql_queryfunction of thedatabase_agent. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality.The issue is resolved by no longer officially supporting the package and moving it into the
stale_packagesbranch on the repo, this removing it from documentation etc. - Database specific
{ "nvd_published_at": "2025-03-20T10:15:31Z", "cwe_ids": [ "CWE-89" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-03-21T18:48:32Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-12909
- https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75
- https://github.com/run-llama/llama_index
- https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat
- https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f
Affected packages
PyPI / llama-index-packs-finchat
Package
- Name
- llama-index-packs-finchat
- View open source insights on deps.dev
- Purl
- pkg:pypi/llama-index-packs-finchat