Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/39028?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/39028?format=api", "purl": "pkg:pypi/llama-index@0.8.48", "type": "pypi", "namespace": "", "name": "llama-index", "version": "0.8.48", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.12.9", "latest_non_vulnerable_version": "0.12.41", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37000?format=api", "vulnerability_id": "VCID-24fd-7hp7-ryac", "summary": "A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.", "references": [ { "reference_url": "https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9" }, { "reference_url": "https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44707?format=api", "purl": "pkg:pypi/llama-index@0.12.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.9" } ], "aliases": [ "CVE-2024-12910", "PYSEC-2025-11" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-24fd-7hp7-ryac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37182?format=api", "vulnerability_id": "VCID-4pds-7n7x-fkdj", "summary": "LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().", "references": [ { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f" }, { "reference_url": "https://www.llamaindex.ai/", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://www.llamaindex.ai/" }, { "reference_url": "https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44701?format=api", "purl": "pkg:pypi/llama-index@0.12.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3" } ], "aliases": [ "CVE-2024-58339", "PYSEC-2026-86" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4pds-7n7x-fkdj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36857?format=api", "vulnerability_id": "VCID-7fnz-sag8-nfe6", "summary": "An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.", "references": [ { "reference_url": "https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38" }, { "reference_url": "https://github.com/run-llama/llama_index/pull/13523", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/run-llama/llama_index/pull/13523" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42563?format=api", "purl": "pkg:pypi/llama-index@0.10.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" }, { "vulnerability": "VCID-tr95-z5ss-r7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.38" } ], "aliases": [ "CVE-2024-45201", "PYSEC-2024-192" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7fnz-sag8-nfe6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36690?format=api", "vulnerability_id": "VCID-rfef-698v-juad", "summary": "LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via \"Drop the Students table\" within English language input.", "references": [ { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-12.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index/issues/9957", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/run-llama/llama_index/issues/9957" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23751", "reference_id": "CVE-2024-23751", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23751" }, { "reference_url": "https://github.com/advisories/GHSA-2jxw-4hm4-6w87", "reference_id": "GHSA-2jxw-4hm4-6w87", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2jxw-4hm4-6w87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39126?format=api", "purl": "pkg:pypi/llama-index@0.9.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" }, { "vulnerability": "VCID-7fnz-sag8-nfe6" }, { "vulnerability": "VCID-rfef-698v-juad" }, { "vulnerability": "VCID-tr95-z5ss-r7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.9.35" } ], "aliases": [ "CVE-2024-23751", "GHSA-2jxw-4hm4-6w87", "PYSEC-2024-12" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rfef-698v-juad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37181?format=api", "vulnerability_id": "VCID-tr95-z5ss-r7hr", "summary": "LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.", "references": [ { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12" }, { "reference_url": "https://www.llamaindex.ai/", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.llamaindex.ai/" }, { "reference_url": "https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44681?format=api", "purl": "pkg:pypi/llama-index@0.11.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-24fd-7hp7-ryac" }, { "vulnerability": "VCID-4pds-7n7x-fkdj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.11.7" } ], "aliases": [ "CVE-2024-14021", "PYSEC-2026-85" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tr95-z5ss-r7hr" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.8.48" }