cbcvebase.
CVE-2024-4181
published 2024-05-16

CVE-2024-4181: A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect…

PriorityP356high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
2.12%
79.5th percentile
A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.

Affected

2 ranges
VendorProductVersion rangeFixed in
llamaindexllamaindex>= 0.9.47 < 0.10.130.10.13
run-llamarun-llama_llama_index>= unspecified < 0.10.130.10.13
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.