CVE-2024-58339
Published: 12 January 2026
Summary
CVE-2024-58339 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-58339 is an uncontrolled resource consumption vulnerability (CWE-770) affecting LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2. The issue resides in the VannaPack VannaQueryEngine implementation, specifically within the custom_query() function in llama_index/packs/vanna/base.py. This logic generates SQL statements from user-supplied prompts and executes them via vn.run_sql() without enforcing query execution limits, enabling resource exhaustion.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for denial-of-service. Remote attackers require no privileges or user interaction and can exploit it over the network with low complexity. In downstream deployments where untrusted users provide prompts to the VannaQueryEngine, an attacker can supply crafted prompts that generate expensive or unbounded SQL operations, exhausting CPU or memory resources and causing a denial-of-service condition.
Advisories from sources including VulnCheck, Huntr, and the LlamaIndex GitHub repository detail the vulnerability and its exploitation path. Security practitioners should consult these references—such as https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion and https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f—for guidance on identifying affected deployments and implementing mitigations like input validation or query limits.
This issue is particularly relevant to AI/ML workflows, as LlamaIndex is a framework for building LLM-powered applications, potentially exposing data querying interfaces in production RAG systems to resource exhaustion attacks. No real-world exploitation has been reported in the provided details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2397
Vulnerability details
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In…
more
downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llamaindex
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Uncontrolled resource consumption via crafted prompts enables application exhaustion through exploitation of the VannaQueryEngine SQL execution path.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly protects against denial-of-service from unbounded SQL queries by limiting effects of resource exhaustion attacks triggered by malicious prompts.
SC-6 ensures resource availability by enforcing quotas and prioritization on CPU and memory during execution of user-prompt-generated SQL statements.
SI-10 mitigates the vulnerability by validating user-supplied prompts to inhibit generation of expensive or unbounded SQL operations.