CVE-2024-12909
Published: 20 March 2025
Summary
CVE-2024-12909 is a critical-severity SQL Injection (CWE-89) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection in the run_sql_query function by requiring validation of untrusted SQL query inputs before execution.
Mandates timely patching of the vulnerable llama_index FinanceChatLlamaPack up to v0.12.3 to the fixed v0.3.0, eliminating the SQLi flaw.
Requires vulnerability scanning to identify and remediate the SQL injection vulnerability (CVE-2024-12909) in deployed llama_index components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in the run_sql_query function allows arbitrary SQL execution leading to RCE via PostgreSQL large objects, enabling exploitation of public-facing applications.
NVD Description
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote…
more
code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.
Deeper analysisAI
CVE-2024-12909 is a SQL injection vulnerability in the `run_sql_query` function of the `database_agent` within the FinanceChatLlamaPack of the run-llama/llama_index repository. It affects versions up to v0.12.3 and enables attackers to inject arbitrary SQL queries, which can lead to remote code execution (RCE) through PostgreSQL's large object functionality. The vulnerability is classified under CWE-89 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
The vulnerability is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no requirement for user interaction. Successful exploitation allows arbitrary SQL injection, culminating in RCE on the underlying PostgreSQL database server, potentially compromising the host system with high impacts on confidentiality, integrity, and availability.
Mitigation is provided in version 0.3.0 of the affected package. The fixing commit is documented at https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75, with additional details available on the Huntr bounty page at https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f. Security practitioners should upgrade to the patched version and review deployments using LlamaIndex for database-integrated LLM agents.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects FinanceChatLlamaPack in the llama_index repository, a framework for building LLM agents and integrations, specifically in the database_agent's SQL query function, fitting AI agent protocols and integrations.