Start your free trial today.
Protect your organization with cutting-edge cybersecurity solutions designed for resilience and efficiency. Secure your digital assets with confidence.
Your Shield Against Threats
Unleash the Power of Cybersecurity
Boost Your Security, Enhance Your Business
We solve Your Cyber Challenges
Quick Links
Resources
Deepaegis Portals
2025 Deepaegis. All Rights Reserved.
An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE).
A critical SQL injection vulnerability was found in the delete function of DuckDBVectorStore within the run-llama/llama_index v0.12.19 package. Improper neutralization of user input in the ref_doc_id parameter allows attackers to inject arbitrary SQL statements. This could potentially lead to unauthorized file reading/writing and remote code execution (RCE) on the affected server.
llama_index
Remediation: Potential Consequences: Full system compromise via Remote Code Execution (RCE). Data exfiltration or corruption. File system manipulation. Exploitation requires no authentication or user interaction and can be performed remotely with ease.
Commit Fix
Input validation on ref_doc_id. Network segmentation to prevent remote access to the service.
Regular code review for input handling. Deployment of a Web Application Firewall (WAF).
SQL injection detection rules in SIEM/WAF. Log file analysis for unexpected SQL query patterns.
6/1/2025
6/1/2025
No affected organizations specified
This document contains sensitive information. Unauthorized distribution is prohibited.