{"data":{"id":"ad8a95b4-5383-49ec-882f-d0b17e8e8e1a","title":"CVE-2024-12911: A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index reposito","summary":"CVE-2024-12911 is a vulnerability in the `default_jsonalyzer` function of `JSONalyzeQueryEngine` in the llama_index library that allows attackers to perform SQL injection (inserting malicious SQL commands) through prompt injection (hiding hidden instructions in the AI's input). This can lead to arbitrary file creation and denial-of-service attacks (making a system unavailable by overwhelming it).","solution":"The vulnerability is fixed in version 0.5.1 of llama_index. Users should upgrade to this version or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-12911","publishedAt":"2025-03-20T10:15:32.083Z","cveId":"CVE-2024-12911","cweIds":["CWE-89"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LlamaIndex"],"affectedVendorsRaw":["run-llama/llama_index","LlamaIndex"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00161,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-66"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"rag","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}