Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LlamaIndex <= 0.12.2 VannaQueryEngine SQL Execution Allows Resource Exhaustion
Vulnerability Description
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
CVSS Information
N/A
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
LlamaIndex 安全漏洞
Vulnerability Description
LlamaIndex是LlamaIndex开源的一个 LLM 应用程序的数据框架。 LlamaIndex 0.12.2及之前版本存在安全漏洞,该漏洞源于VannaPack VannaQueryEngine实现中未强制执行查询执行限制,可能导致资源消耗型拒绝服务攻击。
CVSS Information
N/A
Vulnerability Type
N/A