CVE-2024-3271
Published: 16 April 2024
Summary
CVE-2024-3271 is a critical-severity Command Injection (CWE-77) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: Direct (AML.T0051.000), Infer Training Data Membership (AML.T0024.000), Financial Harm (AML.T0048.000).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1292
Vulnerability details
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved…
more
by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability is in the run-llama/llama_index repository, a framework for building LLM-powered applications, RAG pipelines, and AI agents/assistants, fitting the Enterprise AI Assistants category.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability enables remote code execution via exploitation of a public-facing application (T1190) and arbitrary OS command execution using command interpreters (T1059).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.