Search for packages
| purl | pkg:pypi/llama-index@0.12.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9wyc-qhrw-jugv
Aliases: CVE-2024-58339 PYSEC-2026-86 |
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query(). |
Affected by 1 other vulnerability. |
|
VCID-s83c-jsfw-nfg5
Aliases: CVE-2024-12910 PYSEC-2025-11 |
A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-05-30T20:37:04.737368+00:00 | Pypa Importer | Affected by | VCID-9wyc-qhrw-jugv | https://github.com/pypa/advisory-database/blob/main/vulns/llama-index/PYSEC-2026-86.yaml | 38.6.0 |
| 2026-05-30T20:36:10.418576+00:00 | Pypa Importer | Affected by | VCID-s83c-jsfw-nfg5 | https://github.com/pypa/advisory-database/blob/main/vulns/llama-index/PYSEC-2025-11.yaml | 38.6.0 |