CVE-2024-12909
published 2025-03-20CVE-2024-12909: A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query`…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.31%
67.1th percentile
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| llamaindex | llamaindex | < 0.3.0 | 0.3.0 |
| run-llama | run-llama_llama_index | >= unspecified < 0.3.0 | 0.3.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
llama-index-packs-finchat SQL Injection vulnerability
osv·2025-03-20
CVE-2024-12909 [CRITICAL] llama-index-packs-finchat SQL Injection vulnerability
llama-index-packs-finchat SQL Injection vulnerability
A vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality.
The issue is resolved by no longer officially supporting the package and moving it into the `stale_packages` branch on the repo, this removing it from documentation etc.
GHSA
llama-index-packs-finchat SQL Injection vulnerability
ghsa·2025-03-20
CVE-2024-12909 [CRITICAL] CWE-89 llama-index-packs-finchat SQL Injection vulnerability
llama-index-packs-finchat SQL Injection vulnerability
A vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality.
The issue is resolved by no longer officially supporting the package and moving it into the `stale_packages` branch on the repo, this removing it from documentation etc.
Chrome
Stable Channel Update for Desktop: CVE-2025-12908
vendor_chrome·2025-09-02·CVSS 5.4
CVE-2025-12908 [LOW] Stable Channel Update for Desktop: CVE-2025-12908
Stable Channel Update for Desktop
CVE-2025-12908: Insufficient validation of untrusted input in Downloads. Reported by Abhishek Kumar on 2025-05-31 [$1000][ 361116749 ] Low CVE-2025-12909: Insufficient policy enforcement in Devtools
Reported by Noam Gaash on 2024-08-20 [TBD][ 434977743 ] Low CVE-2025-12910: Inappropriate implementation in Passkeys
Severity: low
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published