Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/77622?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/77622?format=api", "purl": "pkg:pypi/llama-index@0.6.7", "type": "pypi", "namespace": "", "name": "llama-index", "version": "0.6.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.13.0", "latest_non_vulnerable_version": "0.13.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36643?format=api", "vulnerability_id": "VCID-42vx-wn51-qyhn", "summary": "A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12909", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0413", "scoring_system": "epss", "scoring_elements": "0.88935", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0413", "scoring_system": "epss", "scoring_elements": "0.88929", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0413", "scoring_system": "epss", "scoring_elements": "0.88891", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12909" }, { "reference_url": "https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12909", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12909" }, { "reference_url": "https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f", "reference_id": "44e8177f-200a-4ba3-a12c-8bc21e313a3f", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:29Z/" } ], "url": "https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75", "reference_id": "5d03c175476452db9b8abcdb7d5767dd7b310a75", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:29Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75" }, { "reference_url": "https://github.com/advisories/GHSA-x48g-hm9c-ww42", "reference_id": "GHSA-x48g-hm9c-ww42", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x48g-hm9c-ww42" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87151?format=api", "purl": "pkg:pypi/llama-index@0.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.4" } ], "aliases": [ "CVE-2024-12909", "GHSA-x48g-hm9c-ww42" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-42vx-wn51-qyhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35689?format=api", "vulnerability_id": "VCID-4gnz-yvuj-j7b9", "summary": "LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-58339", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.3444", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34641", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34617", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-58339" }, { "reference_url": "https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f", "reference_id": "a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "llama_index", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion", "reference_id": "llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion" }, { "reference_url": "https://www.llamaindex.ai/", "reference_id": "www.llamaindex.ai", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/" } ], "url": "https://www.llamaindex.ai/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87150?format=api", "purl": "pkg:pypi/llama-index@0.12.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3" } ], "aliases": [ "CVE-2024-58339", "PYSEC-2026-86" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4gnz-yvuj-j7b9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33815?format=api", "vulnerability_id": "VCID-52ev-rnu6-2bd2", "summary": "LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via \"Drop the Students table\" within English language input.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23751", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.44121", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.44139", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00213", "scoring_system": "epss", "scoring_elements": "0.43967", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23751" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index/issues/9957", "reference_id": "9957", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-22T18:43:51Z/" } ], "url": "https://github.com/run-llama/llama_index/issues/9957" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23751", "reference_id": "CVE-2024-23751", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23751" }, { "reference_url": "https://github.com/advisories/GHSA-2jxw-4hm4-6w87", "reference_id": "GHSA-2jxw-4hm4-6w87", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2jxw-4hm4-6w87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28511?format=api", "purl": "pkg:pypi/llama-index@0.9.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-4gnz-yvuj-j7b9" }, { "vulnerability": "VCID-52ev-rnu6-2bd2" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-m1xa-bext-83bg" }, { "vulnerability": "VCID-n88g-cwbj-hfgc" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" }, { "vulnerability": "VCID-y5h5-cjme-jkf6" }, { "vulnerability": "VCID-z131-hxnn-nyax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.9.35" } ], "aliases": [ "CVE-2024-23751", "GHSA-2jxw-4hm4-6w87", "PYSEC-2024-12" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-52ev-rnu6-2bd2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/106388?format=api", "vulnerability_id": "VCID-ceq2-zgaf-4khp", "summary": "The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7707.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7707.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7707", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08331", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08333", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08293", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7707" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403577", "reference_id": "2403577", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403577" }, { "reference_url": "https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803", "reference_id": "3fe2c8ab-6727-4aef-a0ef-4d2818e48803", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-14T14:32:21Z/" } ], "url": "https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4", "reference_id": "98816394d57c7f53f847ed7b60725e69d0e7aae4", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-14T14:32:21Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7707", "reference_id": "CVE-2025-7707", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7707" }, { "reference_url": "https://github.com/advisories/GHSA-rg9h-vx28-xxp5", "reference_id": "GHSA-rg9h-vx28-xxp5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rg9h-vx28-xxp5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34203?format=api", "purl": "pkg:pypi/llama-index@0.13.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.13.0" } ], "aliases": [ "CVE-2025-7707", "GHSA-rg9h-vx28-xxp5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ceq2-zgaf-4khp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/115331?format=api", "vulnerability_id": "VCID-kdxg-cepu-k7c6", "summary": "Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1793.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1793.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1793", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18304", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18283", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18121", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1793" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1793", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1793" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e", "reference_id": "0008041e8dde8e519621388e5d6f558bde6ef42e", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-06-05T13:28:44Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370381", "reference_id": "2370381", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370381" }, { "reference_url": "https://huntr.com/bounties/8cb1555a-9655-4122-b0d6-60059e79183c", "reference_id": "8cb1555a-9655-4122-b0d6-60059e79183c", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-06-05T13:28:44Z/" } ], "url": "https://huntr.com/bounties/8cb1555a-9655-4122-b0d6-60059e79183c" }, { "reference_url": "https://github.com/advisories/GHSA-v3c8-3pr6-gr7p", "reference_id": "GHSA-v3c8-3pr6-gr7p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v3c8-3pr6-gr7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/88740?format=api", "purl": "pkg:pypi/llama-index@0.12.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9nry-wte8-3fbf" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.28" } ], "aliases": [ "CVE-2025-1793", "GHSA-v3c8-3pr6-gr7p" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kdxg-cepu-k7c6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37022?format=api", "vulnerability_id": "VCID-kef8-9x8x-7qbf", "summary": "A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12704", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.5793", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.58058", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.58042", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12704" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12704", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12704" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353770", "reference_id": "2353770", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353770" }, { "reference_url": "https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a", "reference_id": "a0b638fd-21c6-4ba7-b381-6ab98472a02a", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/" } ], "url": "https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05", "reference_id": "d1ecfb77578d089cbe66728f18f635c09aa32a05", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05" }, { "reference_url": "https://github.com/advisories/GHSA-j3wr-m6xh-64hg", "reference_id": "GHSA-j3wr-m6xh-64hg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j3wr-m6xh-64hg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87153?format=api", "purl": "pkg:pypi/llama-index@0.12.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.6" } ], "aliases": [ "CVE-2024-12704", "GHSA-j3wr-m6xh-64hg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kef8-9x8x-7qbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111198?format=api", "vulnerability_id": "VCID-kuwz-n7tn-v3f6", "summary": "A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6211.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6211.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6211", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00301", "scoring_system": "epss", "scoring_elements": "0.53815", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00301", "scoring_system": "epss", "scoring_elements": "0.53958", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00301", "scoring_system": "epss", "scoring_elements": "0.53941", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6211" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6211", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6211" }, { "reference_url": "https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389", "reference_id": "1a48a011-a3c5-4979-9ffc-9652280bc389", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:13:09Z/" } ], "url": "https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379311", "reference_id": "2379311", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379311" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352", "reference_id": "29b2e07e64ed7d302b1cc058185560b28eaa1352", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:13:09Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352" }, { "reference_url": "https://github.com/advisories/GHSA-5hq9-5r78-2gjh", "reference_id": "GHSA-5hq9-5r78-2gjh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5hq9-5r78-2gjh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/88753?format=api", "purl": "pkg:pypi/llama-index@0.12.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ceq2-zgaf-4khp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.41" } ], "aliases": [ "CVE-2025-6211", "GHSA-5hq9-5r78-2gjh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kuwz-n7tn-v3f6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36688?format=api", "vulnerability_id": "VCID-m1xa-bext-83bg", "summary": "A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12911.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12911.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12911", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.50959", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.51103", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.5109", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12911" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12911", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12911" }, { "reference_url": "https://huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3", "reference_id": "095f9e67-311d-494c-99c5-5e61a0adb8f3", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:15Z/" } ], "url": "https://huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353719", "reference_id": "2353719", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353719" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e", "reference_id": "bf282074e20e7dafd5e2066137dcd4cd17c3fb9e", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:15Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e" }, { "reference_url": "https://github.com/advisories/GHSA-jmgm-gx32-vp4w", "reference_id": "GHSA-jmgm-gx32-vp4w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jmgm-gx32-vp4w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87150?format=api", "purl": "pkg:pypi/llama-index@0.12.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3" } ], "aliases": [ "CVE-2024-12911", "GHSA-jmgm-gx32-vp4w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m1xa-bext-83bg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47300?format=api", "vulnerability_id": "VCID-n88g-cwbj-hfgc", "summary": "A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4181", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01615", "scoring_system": "epss", "scoring_elements": "0.82261", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01615", "scoring_system": "epss", "scoring_elements": "0.8227", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01615", "scoring_system": "epss", "scoring_elements": "0.822", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4181" }, { "reference_url": "https://huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1", "reference_id": "1a204520-598a-434e-b13d-0d34f2a5ddc1", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-16T16:10:22Z/" } ], "url": "https://huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4181", "reference_id": "CVE-2024-4181", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4181" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba", "reference_id": "d73715eaf0642705583e7897c78b9c8dd2d3a7ba", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-16T16:10:22Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba" }, { "reference_url": "https://github.com/advisories/GHSA-pw38-xv9x-h8ch", "reference_id": "GHSA-pw38-xv9x-h8ch", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pw38-xv9x-h8ch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31426?format=api", "purl": "pkg:pypi/llama-index@0.10.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-4gnz-yvuj-j7b9" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-m1xa-bext-83bg" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" }, { "vulnerability": "VCID-y5h5-cjme-jkf6" }, { "vulnerability": "VCID-z131-hxnn-nyax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.13" } ], "aliases": [ "CVE-2024-4181", "GHSA-pw38-xv9x-h8ch" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n88g-cwbj-hfgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/139224?format=api", "vulnerability_id": "VCID-tk3v-d57g-xydz", "summary": "An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39662", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03889", "scoring_system": "epss", "scoring_elements": "0.88564", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.03889", "scoring_system": "epss", "scoring_elements": "0.88525", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.03889", "scoring_system": "epss", "scoring_elements": "0.88571", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39662" }, { "reference_url": "https://github.com/advisories/GHSA-2xxc-73fv-36f7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2xxc-73fv-36f7" }, { "reference_url": "https://github.com/jerryjliu/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jerryjliu/llama_index" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2023-148.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/commit/9f3e50a803f519af9ab62e63d413441c43001d81" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/commit/aa6726706476e0f957a8d57a5ca89e519e93bad7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39662", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39662" }, { "reference_url": "https://github.com/jerryjliu/llama_index/issues/7054", "reference_id": "7054", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T20:26:03Z/" } ], "url": "https://github.com/jerryjliu/llama_index/issues/7054" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77675?format=api", "purl": "pkg:pypi/llama-index@0.7.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-4gnz-yvuj-j7b9" }, { "vulnerability": "VCID-52ev-rnu6-2bd2" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-m1xa-bext-83bg" }, { "vulnerability": "VCID-n88g-cwbj-hfgc" }, { "vulnerability": "VCID-tk3v-d57g-xydz" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" }, { "vulnerability": "VCID-y5h5-cjme-jkf6" }, { "vulnerability": "VCID-z131-hxnn-nyax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.7.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/82051?format=api", "purl": "pkg:pypi/llama-index@0.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-4gnz-yvuj-j7b9" }, { "vulnerability": "VCID-52ev-rnu6-2bd2" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-m1xa-bext-83bg" }, { "vulnerability": "VCID-n88g-cwbj-hfgc" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" }, { "vulnerability": "VCID-y5h5-cjme-jkf6" }, { "vulnerability": "VCID-z131-hxnn-nyax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.9.14" } ], "aliases": [ "CVE-2023-39662", "GHSA-2xxc-73fv-36f7", "PYSEC-2023-148" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tk3v-d57g-xydz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36719?format=api", "vulnerability_id": "VCID-uxre-3rx7-1ffw", "summary": "A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12910.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12910.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12910", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.58058", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.58042", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.5793", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12910" }, { "reference_url": "https://github.com/advisories/GHSA-jvpf-xf32-2w4q", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://github.com/advisories/GHSA-jvpf-xf32-2w4q" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-11.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-11.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12910", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12910" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9", "reference_id": "159ce485a1168100bb219dc1b93133f1121579d9", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:55:55Z/" } ], "url": "https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353537", "reference_id": "2353537", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353537" }, { "reference_url": "https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8", "reference_id": "27883f22-35ff-49df-aaa5-05031c7d6ad8", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:55:55Z/" } ], "url": "https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87156?format=api", "purl": "pkg:pypi/llama-index@0.12.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.9" } ], "aliases": [ "CVE-2024-12910", "GHSA-jvpf-xf32-2w4q", "PYSEC-2025-11" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uxre-3rx7-1ffw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39584?format=api", "vulnerability_id": "VCID-y5h5-cjme-jkf6", "summary": "LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-14021", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32251", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32453", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32433", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-14021" }, { "reference_url": "https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12", "reference_id": "ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "llama_index", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization", "reference_id": "llamaindex-bgem3index-unsafe-deserialization", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization" }, { "reference_url": "https://www.llamaindex.ai/", "reference_id": "www.llamaindex.ai", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-13T16:23:29Z/" } ], "url": "https://www.llamaindex.ai/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87125?format=api", "purl": "pkg:pypi/llama-index@0.11.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-4gnz-yvuj-j7b9" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-m1xa-bext-83bg" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.11.7" } ], "aliases": [ "CVE-2024-14021", "PYSEC-2026-85" ], "risk_score": 3.8, "exploitability": "0.5", "weighted_severity": "7.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y5h5-cjme-jkf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40244?format=api", "vulnerability_id": "VCID-z131-hxnn-nyax", "summary": "An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45201.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45201.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45201", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43806", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.4398", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43961", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45201" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-192.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-192.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/bd827c30484fa085ec769fa55dc7f2add8006ac8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/commit/bd827c30484fa085ec769fa55dc7f2add8006ac8" }, { "reference_url": "https://github.com/run-llama/llama_index/pull/13523", "reference_id": "13523", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-25T18:18:17Z/" } ], "url": "https://github.com/run-llama/llama_index/pull/13523" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307415", "reference_id": "2307415", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307415" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45201", "reference_id": "CVE-2024-45201", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45201" }, { "reference_url": "https://github.com/advisories/GHSA-fxc2-8m62-m85x", "reference_id": "GHSA-fxc2-8m62-m85x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxc2-8m62-m85x" }, { "reference_url": "https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38", "reference_id": "v0.10.37...v0.10.38", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-25T18:18:17Z/" } ], "url": "https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85001?format=api", "purl": "pkg:pypi/llama-index@0.10.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-42vx-wn51-qyhn" }, { "vulnerability": "VCID-4gnz-yvuj-j7b9" }, { "vulnerability": "VCID-ceq2-zgaf-4khp" }, { "vulnerability": "VCID-kdxg-cepu-k7c6" }, { "vulnerability": "VCID-kef8-9x8x-7qbf" }, { "vulnerability": "VCID-kuwz-n7tn-v3f6" }, { "vulnerability": "VCID-m1xa-bext-83bg" }, { "vulnerability": "VCID-uxre-3rx7-1ffw" }, { "vulnerability": "VCID-y5h5-cjme-jkf6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.38" } ], "aliases": [ "CVE-2024-45201", "GHSA-fxc2-8m62-m85x", "PYSEC-2024-192" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z131-hxnn-nyax" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.6.7" }