Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LlamaIndex <= 0.11.6 BGEM3Index Unsafe Deserialization
Vulnerability Description
LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
LlamaIndex 代码问题漏洞
Vulnerability Description
LlamaIndex是LlamaIndex开源的一个 LLM 应用程序的数据框架。 LlamaIndex 0.11.6及之前版本存在代码问题漏洞,该漏洞源于BGEM3Index.load_from_disk函数使用pickle.load反序列化用户提供的文件且未经验证,可能导致任意代码执行。
CVSS Information
N/A
Vulnerability Type
N/A