Vulnerability Description
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Llamaindex | Llamaindex | <= 0.12.2 |
Related Weaknesses (CWE)
References
- https://github.com/run-llama/llama_indexProduct
- https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1fExploitThird Party Advisory
- https://www.llamaindex.ai/Product
- https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-aThird Party Advisory
FAQ
What is CVE-2024-58339?
CVE-2024-58339 is a vulnerability with a CVSS score of 7.5 (HIGH). LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() l...
How severe is CVE-2024-58339?
CVE-2024-58339 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-58339?
Check the references section above for vendor advisories and patch information. Affected products include: Llamaindex Llamaindex.