Plataforma
python
Componente
llama-index-retrievers-duckdb-retriever
Corregido en
0.4.0
0.4.0
A critical SQL injection vulnerability has been identified in the llama-index-retrievers-duckdb-retriever component, specifically affecting versions up to 0.3.0. This flaw allows attackers to inject malicious SQL code into queries, potentially leading to remote code execution. The vulnerability stems from the improper construction of SQL queries without utilizing prepared statements. Affected users should immediately upgrade to version 0.4.0 to mitigate this risk.
The impact of this SQL injection vulnerability is severe. An attacker can leverage it to execute arbitrary SQL commands against the DuckDB database. The description explicitly mentions the possibility of achieving remote code execution (RCE) by installing the shellfs extension and then executing malicious commands. This could allow an attacker to gain complete control over the affected system, exfiltrate sensitive data, modify database contents, or even pivot to other systems within the network. The potential for data breaches and system compromise is significant.
This vulnerability is considered highly exploitable due to the ease of SQL injection and the potential for RCE. While no public exploits have been widely reported, the combination of a CRITICAL CVSS score and the potential for RCE suggests a high probability of exploitation. The vulnerability was publicly disclosed on 2025-03-20. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Applications leveraging the llama-index-retrievers-duckdb-retriever component for data retrieval from DuckDB databases are at risk. This includes projects utilizing the run-llama/llama_index repository and those integrating DuckDB as a data source. Specifically, deployments using older versions (≤0.3.0) and those lacking robust input validation are particularly vulnerable.
• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'show', 'llama-index-retrievers-duckdb-retriever'], capture_output=True, text=True)
if 'Version: 0.3.0' in result.stdout:
print('Vulnerable version detected!')• generic web: Check for DuckDB database endpoints exposed in the application. Use curl to test for SQL injection vulnerabilities.
curl 'http://example.com/duckdb_endpoint?query=1%20OR%201=1' # Replace with actual endpointdisclosure
Estado del Exploit
EPSS
1.17% (79% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-11958 is to upgrade the llama-index-retrievers-duckdb-retriever component to version 0.4.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on any user-supplied data used in SQL queries. While not a complete solution, this can reduce the attack surface. Additionally, review and restrict the permissions granted to the DuckDB user account to limit the potential damage from a successful SQL injection attack. After upgrading, confirm the fix by attempting to inject a simple SQL statement and verifying that it is properly sanitized.
Actualice la biblioteca LlamaIndex a la versión 0.4.0 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL en el componente `duckdb_retriever`. La actualización evitará la ejecución de código arbitrario a través de la inyección de comandos SQL maliciosos.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-11958 is a critical SQL injection vulnerability in the llama-index-retrievers-duckdb-retriever component, allowing attackers to inject malicious SQL code.
You are affected if you are using llama-index-retrievers-duckdb-retriever versions 0.3.0 or earlier.
Upgrade to version 0.4.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no widespread exploitation has been confirmed, the vulnerability's severity and potential for RCE suggest a high probability of exploitation.
Refer to the official llama-index repository and security advisories for the latest information and updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.