Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/llama-index@0.5.10
Typepypi
Namespace
Namellama-index
Version0.5.10
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.12.9
Latest_non_vulnerable_version0.12.41
Affected_by_vulnerabilities
0
url VCID-24fd-7hp7-ryac
vulnerability_id VCID-24fd-7hp7-ryac
summary A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.
references
0
reference_url https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9
1
reference_url https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8
fixed_packages
0
url pkg:pypi/llama-index@0.12.9
purl pkg:pypi/llama-index@0.12.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.9
aliases CVE-2024-12910, PYSEC-2025-11
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-24fd-7hp7-ryac
1
url VCID-4pds-7n7x-fkdj
vulnerability_id VCID-4pds-7n7x-fkdj
summary LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
references
0
reference_url https://github.com/run-llama/llama_index
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/run-llama/llama_index
1
reference_url https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f
2
reference_url https://www.llamaindex.ai/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://www.llamaindex.ai/
3
reference_url https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion
fixed_packages
0
url pkg:pypi/llama-index@0.12.3
purl pkg:pypi/llama-index@0.12.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-24fd-7hp7-ryac
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3
aliases CVE-2024-58339, PYSEC-2026-86
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4pds-7n7x-fkdj
2
url VCID-7fnz-sag8-nfe6
vulnerability_id VCID-7fnz-sag8-nfe6
summary An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.
references
0
reference_url https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38
reference_id
reference_type
scores
url https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38
1
reference_url https://github.com/run-llama/llama_index/pull/13523
reference_id
reference_type
scores
url https://github.com/run-llama/llama_index/pull/13523
fixed_packages
0
url pkg:pypi/llama-index@0.10.38
purl pkg:pypi/llama-index@0.10.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-24fd-7hp7-ryac
1
vulnerability VCID-4pds-7n7x-fkdj
2
vulnerability VCID-tr95-z5ss-r7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.38
aliases CVE-2024-45201, PYSEC-2024-192
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7fnz-sag8-nfe6
3
url VCID-c9bm-rbj6-23gp
vulnerability_id VCID-c9bm-rbj6-23gp
summary An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.
references
0
reference_url https://github.com/jerryjliu/llama_index
reference_id
reference_type
scores
url https://github.com/jerryjliu/llama_index
1
reference_url https://github.com/jerryjliu/llama_index/issues/7054
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/jerryjliu/llama_index/issues/7054
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml
3
reference_url https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81
reference_id
reference_type
scores
url https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81
4
reference_url https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7
reference_id
reference_type
scores
url https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-39662
reference_id CVE-2023-39662
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-39662
6
reference_url https://github.com/advisories/GHSA-2xxc-73fv-36f7
reference_id GHSA-2xxc-73fv-36f7
reference_type
scores
url https://github.com/advisories/GHSA-2xxc-73fv-36f7
fixed_packages
0
url pkg:pypi/llama-index@0.7.14
purl pkg:pypi/llama-index@0.7.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-24fd-7hp7-ryac
1
vulnerability VCID-4pds-7n7x-fkdj
2
vulnerability VCID-7fnz-sag8-nfe6
3
vulnerability VCID-rfef-698v-juad
4
vulnerability VCID-tr95-z5ss-r7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.7.14
1
url pkg:pypi/llama-index@0.9.14
purl pkg:pypi/llama-index@0.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-24fd-7hp7-ryac
1
vulnerability VCID-4pds-7n7x-fkdj
2
vulnerability VCID-7fnz-sag8-nfe6
3
vulnerability VCID-rfef-698v-juad
4
vulnerability VCID-tr95-z5ss-r7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.9.14
aliases CVE-2023-39662, GHSA-2xxc-73fv-36f7, PYSEC-2023-148
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c9bm-rbj6-23gp
4
url VCID-rfef-698v-juad
vulnerability_id VCID-rfef-698v-juad
summary LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.
references
0
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml
1
reference_url https://github.com/run-llama/llama_index/issues/9957
reference_id
reference_type
scores
url https://github.com/run-llama/llama_index/issues/9957
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23751
reference_id CVE-2024-23751
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-23751
3
reference_url https://github.com/advisories/GHSA-2jxw-4hm4-6w87
reference_id GHSA-2jxw-4hm4-6w87
reference_type
scores
url https://github.com/advisories/GHSA-2jxw-4hm4-6w87
fixed_packages
0
url pkg:pypi/llama-index@0.9.35
purl pkg:pypi/llama-index@0.9.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-24fd-7hp7-ryac
1
vulnerability VCID-4pds-7n7x-fkdj
2
vulnerability VCID-7fnz-sag8-nfe6
3
vulnerability VCID-rfef-698v-juad
4
vulnerability VCID-tr95-z5ss-r7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.9.35
aliases CVE-2024-23751, GHSA-2jxw-4hm4-6w87, PYSEC-2024-12
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rfef-698v-juad
5
url VCID-tr95-z5ss-r7hr
vulnerability_id VCID-tr95-z5ss-r7hr
summary LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.
references
0
reference_url https://github.com/run-llama/llama_index
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://github.com/run-llama/llama_index
1
reference_url https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12
2
reference_url https://www.llamaindex.ai/
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://www.llamaindex.ai/
3
reference_url https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization
fixed_packages
0
url pkg:pypi/llama-index@0.11.7
purl pkg:pypi/llama-index@0.11.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-24fd-7hp7-ryac
1
vulnerability VCID-4pds-7n7x-fkdj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.11.7
aliases CVE-2024-14021, PYSEC-2026-85
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tr95-z5ss-r7hr
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.5.10