Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/38959?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/38959?format=api", "purl": "pkg:pypi/llama-index@0.7.20", "type": "pypi", "namespace": "", "name": "llama-index", "version": "0.7.20", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.13.0", "latest_non_vulnerable_version": "0.13.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37000?format=api", "vulnerability_id": "VCID-24fd-7hp7-ryac", "summary": "A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12910.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12910.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12910", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.57854", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12910" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-11.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-11.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:55:55Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9" }, { "reference_url": "https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:55:55Z/" } ], "url": "https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353537", "reference_id": "2353537", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353537" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12910", "reference_id": "CVE-2024-12910", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12910" }, { "reference_url": "https://github.com/advisories/GHSA-jvpf-xf32-2w4q", "reference_id": "GHSA-jvpf-xf32-2w4q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jvpf-xf32-2w4q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44707?format=api", "purl": "pkg:pypi/llama-index@0.12.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.9" } ], "aliases": [ "CVE-2024-12910", "GHSA-jvpf-xf32-2w4q", "PYSEC-2025-11" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-24fd-7hp7-ryac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37182?format=api", "vulnerability_id": "VCID-4pds-7n7x-fkdj", "summary": "LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-58339", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00159", "scoring_system": "epss", "scoring_elements": "0.36538", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-58339" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f" }, { "reference_url": "https://www.llamaindex.ai/", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://www.llamaindex.ai/" }, { "reference_url": "https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44701?format=api", "purl": "pkg:pypi/llama-index@0.12.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-e7et-qz6q-hkg4" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3" } ], "aliases": [ "CVE-2024-58339", "PYSEC-2026-86" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4pds-7n7x-fkdj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54926?format=api", "vulnerability_id": "VCID-5bty-c4c1-nbbm", "summary": "RunGptLLM class in LlamaIndex has a command injection\nA command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4181", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01615", "scoring_system": "epss", "scoring_elements": "0.82152", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4181" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-16T16:10:22Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba" }, { "reference_url": "https://huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-16T16:10:22Z/" } ], "url": "https://huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4181", "reference_id": "CVE-2024-4181", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4181" }, { "reference_url": "https://github.com/advisories/GHSA-pw38-xv9x-h8ch", "reference_id": "GHSA-pw38-xv9x-h8ch", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pw38-xv9x-h8ch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42538?format=api", "purl": "pkg:pypi/llama-index@0.10.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" }, { "vulnerability": "VCID-7fnz-sag8-nfe6" }, { "vulnerability": "VCID-e7et-qz6q-hkg4" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-n7cu-sbm2-2ubr" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-tr95-z5ss-r7hr" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.13" } ], "aliases": [ "CVE-2024-4181", "GHSA-pw38-xv9x-h8ch" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5bty-c4c1-nbbm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36857?format=api", "vulnerability_id": "VCID-7fnz-sag8-nfe6", "summary": "An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45201.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45201.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45201", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43787", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45201" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-192.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-192.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/bd827c30484fa085ec769fa55dc7f2add8006ac8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/commit/bd827c30484fa085ec769fa55dc7f2add8006ac8" }, { "reference_url": "https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-25T18:18:17Z/" } ], "url": "https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38" }, { "reference_url": "https://github.com/run-llama/llama_index/pull/13523", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-25T18:18:17Z/" } ], "url": "https://github.com/run-llama/llama_index/pull/13523" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307415", "reference_id": "2307415", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307415" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45201", "reference_id": "CVE-2024-45201", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45201" }, { "reference_url": "https://github.com/advisories/GHSA-fxc2-8m62-m85x", "reference_id": "GHSA-fxc2-8m62-m85x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxc2-8m62-m85x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42563?format=api", "purl": "pkg:pypi/llama-index@0.10.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" }, { "vulnerability": "VCID-e7et-qz6q-hkg4" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-n7cu-sbm2-2ubr" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-tr95-z5ss-r7hr" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.38" } ], "aliases": [ "CVE-2024-45201", "GHSA-fxc2-8m62-m85x", "PYSEC-2024-192" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7fnz-sag8-nfe6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36520?format=api", "vulnerability_id": "VCID-c9bm-rbj6-23gp", "summary": "An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39662", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03852", "scoring_system": "epss", "scoring_elements": "0.8843", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39662" }, { "reference_url": "https://github.com/jerryjliu/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jerryjliu/llama_index" }, { "reference_url": "https://github.com/jerryjliu/llama_index/issues/7054", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T20:26:03Z/" } ], "url": "https://github.com/jerryjliu/llama_index/issues/7054" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39662", "reference_id": "CVE-2023-39662", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39662" }, { "reference_url": "https://github.com/advisories/GHSA-2xxc-73fv-36f7", "reference_id": "GHSA-2xxc-73fv-36f7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2xxc-73fv-36f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39086?format=api", "purl": "pkg:pypi/llama-index@0.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" }, { "vulnerability": "VCID-5bty-c4c1-nbbm" }, { "vulnerability": "VCID-7fnz-sag8-nfe6" }, { "vulnerability": "VCID-e7et-qz6q-hkg4" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-n7cu-sbm2-2ubr" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-rfef-698v-juad" }, { "vulnerability": "VCID-tr95-z5ss-r7hr" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.9.14" } ], "aliases": [ "CVE-2023-39662", "GHSA-2xxc-73fv-36f7", "PYSEC-2023-148" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c9bm-rbj6-23gp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56863?format=api", "vulnerability_id": "VCID-e7et-qz6q-hkg4", "summary": "llama-index-packs-finchat SQL Injection vulnerability\nA vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality.\n\nThe issue is resolved by no longer officially supporting the package and moving it into the `stale_packages` branch on the repo, this removing it from documentation etc.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12909", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0413", "scoring_system": "epss", "scoring_elements": "0.88853", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12909" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:29Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75" }, { "reference_url": "https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat" }, { "reference_url": "https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:29Z/" } ], "url": "https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12909", "reference_id": "CVE-2024-12909", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12909" }, { "reference_url": "https://github.com/advisories/GHSA-x48g-hm9c-ww42", "reference_id": "GHSA-x48g-hm9c-ww42", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x48g-hm9c-ww42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44702?format=api", "purl": "pkg:pypi/llama-index@0.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.4" } ], "aliases": [ "CVE-2024-12909", "GHSA-x48g-hm9c-ww42" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e7et-qz6q-hkg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48016?format=api", "vulnerability_id": "VCID-gmvy-ywca-j3ez", "summary": "llama-index has Insecure Temporary File\nThe llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7707.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7707.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7707", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08292", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7707" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-14T14:32:21Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4" }, { "reference_url": "https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-14T14:32:21Z/" } ], "url": "https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403577", "reference_id": "2403577", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403577" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7707", "reference_id": "CVE-2025-7707", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7707" }, { "reference_url": "https://github.com/advisories/GHSA-rg9h-vx28-xxp5", "reference_id": "GHSA-rg9h-vx28-xxp5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rg9h-vx28-xxp5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70834?format=api", "purl": "pkg:pypi/llama-index@0.13.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.13.0" } ], "aliases": [ "CVE-2025-7707", "GHSA-rg9h-vx28-xxp5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gmvy-ywca-j3ez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56934?format=api", "vulnerability_id": "VCID-n7cu-sbm2-2ubr", "summary": "LlamaIndex vulnerable to Creation of Temporary File in Directory with Insecure Permissions\nA vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.12.3.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12911.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12911.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12911", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.50918", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12911" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:15Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e" }, { "reference_url": "https://huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:15Z/" } ], "url": "https://huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353719", "reference_id": "2353719", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353719" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12911", "reference_id": "CVE-2024-12911", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12911" }, { "reference_url": "https://github.com/advisories/GHSA-jmgm-gx32-vp4w", "reference_id": "GHSA-jmgm-gx32-vp4w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jmgm-gx32-vp4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44701?format=api", "purl": "pkg:pypi/llama-index@0.12.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-e7et-qz6q-hkg4" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3" } ], "aliases": [ "CVE-2024-12911", "GHSA-jmgm-gx32-vp4w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n7cu-sbm2-2ubr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56894?format=api", "vulnerability_id": "VCID-pgec-vz8n-fbe4", "summary": "LlamaIndex Improper Handling of Exceptional Conditions vulnerability\nA vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12704", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.57854", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12704" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05" }, { "reference_url": "https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/" } ], "url": "https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353770", "reference_id": "2353770", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353770" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12704", "reference_id": "CVE-2024-12704", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12704" }, { "reference_url": "https://github.com/advisories/GHSA-j3wr-m6xh-64hg", "reference_id": "GHSA-j3wr-m6xh-64hg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j3wr-m6xh-64hg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44704?format=api", "purl": "pkg:pypi/llama-index@0.12.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.6" } ], "aliases": [ "CVE-2024-12704", "GHSA-j3wr-m6xh-64hg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pgec-vz8n-fbe4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36690?format=api", "vulnerability_id": "VCID-rfef-698v-juad", "summary": "LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via \"Drop the Students table\" within English language input.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23751", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.43951", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23751" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/issues/9957", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-22T18:43:51Z/" } ], "url": "https://github.com/run-llama/llama_index/issues/9957" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23751", "reference_id": "CVE-2024-23751", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23751" }, { "reference_url": "https://github.com/advisories/GHSA-2jxw-4hm4-6w87", "reference_id": "GHSA-2jxw-4hm4-6w87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2jxw-4hm4-6w87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39126?format=api", "purl": "pkg:pypi/llama-index@0.9.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" }, { "vulnerability": "VCID-5bty-c4c1-nbbm" }, { "vulnerability": "VCID-7fnz-sag8-nfe6" }, { "vulnerability": "VCID-e7et-qz6q-hkg4" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-n7cu-sbm2-2ubr" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-rfef-698v-juad" }, { "vulnerability": "VCID-tr95-z5ss-r7hr" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.9.35" } ], "aliases": [ "CVE-2024-23751", "GHSA-2jxw-4hm4-6w87", "PYSEC-2024-12" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rfef-698v-juad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37181?format=api", "vulnerability_id": "VCID-tr95-z5ss-r7hr", "summary": "LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-14021", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38101", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-14021" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12" }, { "reference_url": "https://www.llamaindex.ai/", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://www.llamaindex.ai/" }, { "reference_url": "https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44681?format=api", "purl": "pkg:pypi/llama-index@0.11.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" }, { "vulnerability": "VCID-e7et-qz6q-hkg4" }, { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-n7cu-sbm2-2ubr" }, { "vulnerability": "VCID-pgec-vz8n-fbe4" }, { "vulnerability": "VCID-x63v-5g31-9ubm" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.11.7" } ], "aliases": [ "CVE-2024-14021", "PYSEC-2026-85" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "7.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tr95-z5ss-r7hr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57399?format=api", "vulnerability_id": "VCID-x63v-5g31-9ubm", "summary": "llama_index vulnerable to SQL Injection\nMultiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1793.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1793.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1793", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.1813", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1793" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-06-05T13:28:44Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e" }, { "reference_url": "https://huntr.com/bounties/8cb1555a-9655-4122-b0d6-60059e79183c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-06-05T13:28:44Z/" } ], "url": "https://huntr.com/bounties/8cb1555a-9655-4122-b0d6-60059e79183c" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370381", "reference_id": "2370381", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370381" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1793", "reference_id": "CVE-2025-1793", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1793" }, { "reference_url": "https://github.com/advisories/GHSA-v3c8-3pr6-gr7p", "reference_id": "GHSA-v3c8-3pr6-gr7p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v3c8-3pr6-gr7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46009?format=api", "purl": "pkg:pypi/llama-index@0.12.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gmvy-ywca-j3ez" }, { "vulnerability": "VCID-pwa9-7xgw-vkgu" }, { "vulnerability": "VCID-zrjv-cjr8-byeh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.28" } ], "aliases": [ "CVE-2025-1793", "GHSA-v3c8-3pr6-gr7p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x63v-5g31-9ubm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57633?format=api", "vulnerability_id": "VCID-zrjv-cjr8-byeh", "summary": "LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class\nA vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to but excluding version 0.12.41, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6211.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6211.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6211", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00301", "scoring_system": "epss", "scoring_elements": "0.53752", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6211" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:13:09Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352" }, { "reference_url": "https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:13:09Z/" } ], "url": "https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379311", "reference_id": "2379311", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379311" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6211", "reference_id": "CVE-2025-6211", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6211" }, { "reference_url": "https://github.com/advisories/GHSA-5hq9-5r78-2gjh", "reference_id": "GHSA-5hq9-5r78-2gjh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5hq9-5r78-2gjh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46022?format=api", "purl": "pkg:pypi/llama-index@0.12.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gmvy-ywca-j3ez" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.41" } ], "aliases": [ "CVE-2025-6211", "GHSA-5hq9-5r78-2gjh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zrjv-cjr8-byeh" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.7.20" }