CVE-2024-12911: A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index reposito
highvulnerabilityLLM-Specific
security
Summary
CVE-2024-12911 is a vulnerability in the `default_jsonalyzer` function of `JSONalyzeQueryEngine` in the llama_index library that allows attackers to perform SQL injection (inserting malicious SQL commands) through prompt injection (hiding hidden instructions in the AI's input). This can lead to arbitrary file creation and denial-of-service attacks (making a system unavailable by overwhelming it).
Solution / Mitigation
The vulnerability is fixed in version 0.5.1 of llama_index. Users should upgrade to this version or later.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.2%
Classification
Attack Type
Prompt Injection
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Vendors
LlamaIndex
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-12911
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 95%