CVE-2024-12911: LlamaIndex vulnerable to Creation of Temporary File in Directory with Insecure Permissions

March 20, 2025 (updated March 21, 2025)

A vulnerability in the default_jsonalyzer function of the JSONalyzeQueryEngine in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.12.3.

References

github.com/advisories/GHSA-jmgm-gx32-vp4w
github.com/run-llama/llama_index
github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e
huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3
nvd.nist.gov/vuln/detail/CVE-2024-12911

Code Behaviors & Features

Detect and mitigate CVE-2024-12911 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →