An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE).
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 31 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Llamaindex
Llamaindex llamaindex
CPEs cpe:2.3:a:llamaindex:llamaindex:*:*:*:*:*:*:*:*
Vendors & Products Llamaindex
Llamaindex llamaindex

Mon, 02 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 02 Jun 2025 10:15:00 +0000

Type Values Removed Values Added
Description An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE).
Title SQL Injection in run-llama/llama_index
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2025-06-02T12:18:24.429Z

Reserved: 2025-02-27T11:15:09.303Z

Link: CVE-2025-1750

cve-icon Vulnrichment

Updated: 2025-06-02T12:18:08.644Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-02T10:15:20.557

Modified: 2025-07-31T16:08:49.087

Link: CVE-2025-1750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.