Scan free
CRITICALCVE-2025-1750CVSS 9.8

CVE-2025-1750: SQL Injection in LlamaIndex

Platform

python

Component

llama_index

Fixed in

0.3.1

AI Confidence: highNVDEPSS 0.6%Reviewed: May 2026
View on NVD
Save

A critical SQL injection vulnerability has been identified in LlamaIndex, specifically within the delete function of the DuckDBVectorStore component. This flaw allows attackers to manipulate the refdocid parameter, granting them the ability to read and write arbitrary files on the server. Versions of LlamaIndex prior to 0.3.1 are affected. A fix has been released in version 0.3.1.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The impact of this SQL injection vulnerability is severe. Successful exploitation allows an attacker to bypass intended access controls and directly interact with the underlying file system. By crafting malicious SQL queries through the refdocid parameter, an attacker can read sensitive configuration files, source code, or even upload and execute arbitrary code. This could lead to complete compromise of the server, including data exfiltration, denial of service, and remote code execution. The ability to write arbitrary files significantly expands the attack surface beyond simple data retrieval.

Exploitation Context

This vulnerability is considered high-risk due to its CRITICAL CVSS score and the potential for remote code execution. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2025-06-02. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.63% (70% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentllama_index
Vendorrun-llama
Affected rangeFixed in
unspecified – 0.3.10.3.1

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation is to immediately upgrade LlamaIndex to version 0.3.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation on the refdocid parameter to prevent SQL injection attempts. This could involve whitelisting allowed characters or using parameterized queries. Additionally, restrict file system access permissions for the LlamaIndex process to minimize the potential damage from a successful exploit. Monitor application logs for unusual database activity or file system modifications.

How to fix

Update the LlamaIndex library to version 0.3.1 or higher. This version fixes the SQL injection vulnerability in the delete function of DuckDBVectorStore. The update will prevent attackers from manipulating the ref_doc_id parameter and executing arbitrary code on the server.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-1750 — SQL Injection in LlamaIndex?

CVE-2025-1750 is a critical SQL injection vulnerability in LlamaIndex versions up to 0.3.1, allowing attackers to manipulate database queries and potentially gain unauthorized access to files.

Am I affected by CVE-2025-1750 in LlamaIndex?

If you are using LlamaIndex version 0.3.1 or earlier, you are potentially affected by this vulnerability. Immediately check your version and upgrade if necessary.

How do I fix CVE-2025-1750 in LlamaIndex?

The recommended fix is to upgrade LlamaIndex to version 0.3.1 or later. If upgrading is not possible, implement input validation on the refdocid parameter.

Is CVE-2025-1750 being actively exploited?

While there are no confirmed reports of active exploitation at this time, the vulnerability's severity and potential impact suggest that exploitation is likely to occur.

Where can I find the official LlamaIndex advisory for CVE-2025-1750?

Refer to the official LlamaIndex security advisories and release notes on their GitHub repository for the most up-to-date information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs