CVE-2024-3098: A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eva
highvulnerability
security
Summary
A vulnerability was found in the `safe_eval` function of the `llama_index` package that allows prompt injection (tricking an AI by hiding instructions in its input) to execute arbitrary code (running code an attacker chooses). The flaw exists because the input validation is insufficient, meaning the package doesn't properly check what data is being passed in, allowing attackers to bypass safety restrictions that were meant to prevent this type of attack.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.2%
Classification
Attack Type
Prompt Injection
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
LlamaIndex
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-3098
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 95%