Cyber Resilience

CVE-2025-1750

CriticalPublic PoC

Published: 02 June 2025

Published
02 June 2025
Modified
31 July 2025
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0168 82.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1750 is a critical-severity SQL Injection (CWE-89) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. The flaw, tracked as CWE-89, permits manipulation of the ref_doc_id parameter and carries a CVSS 3.0 score of 9.8 reflecting network-exploitable conditions with no required authentication or user interaction.

An attacker able to supply a crafted ref_doc_id value can leverage the injection to read or write arbitrary files on the underlying server, an outcome that may be escalated to remote code execution.

The referenced commit 369a2942df2efcf6b74461c45d20a0af1fbe4ae2 in the llama_index repository addresses the issue, and details are also published via the associated huntr.com bounty entry.

The affected component is part of a widely used AI/ML framework for vector storage in LLM applications; the EPSS score has remained flat at 0.0168 with no material rise observed.

EU & UK References

Vulnerability details

An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote…

more

code execution (RCE).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability enables exploitation of a public-facing application (T1190) via parameter manipulation and facilitates arbitrary file reads from the local system (T1005), with potential for RCE through file writes.

Affected Assets

llamaindex
llamaindex
0.12.19 — 0.12.21

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References