CVE-2024-23751

CVSS 9.8 - CRITICAL
Description

LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

Affected Products
1
Vendor Product Version
llamaindex llamaindex All versions
References
https://github.com/run-llama/llama_index/issues/99...
https://github.com/run-llama/llama_index/issues/99...
Weakness Types
CWE-89 CWE-89
CVE Information
CVE ID:
CVE-2024-23751
Published:
2024-01-22
Modified:
2025-06-20
CVSS Score:
9.8
Severity:
CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Vendors
llamaindex
Quick Actions
View on NVD Find Similar CVEs
CVSS Severity Scale
0.0 - 3.9 LOW
4.0 - 6.9 MEDIUM
7.0 - 8.9 HIGH
9.0 - 10.0 CRITICAL