Miggo Logo
Miggo Vulnerability Database
CVE-2024-12911

CVE-2024-12911:
LlamaIndex vulnerable to Creation of Temporary File in Directory with Insecure Permissions

7.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-12911
GHSA ID
GHSA-jmgm-gx32-vp4w
EPSS Score
0.08856%
CWE
CWE-379
Published
3/20/2025
Updated
3/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
llama-indexpip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from SQL injection in JSONalyzeQueryEngine's default_jsonalyzer function, as confirmed by CVE/GHSA descriptions. The function's SQL query construction with untrusted input (via prompt injection) allows execution of arbitrary SQL commands. SQLite's ATTACH DATABASE feature enables file creation, aligning with CWE-379's temporary file creation aspect. The patch moved this class to experimental with warnings about arbitrary file creation, confirming the risk resided in this function's implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in t** `****ult_json*lyz*r` *un*tion o* t** `JSON*lyz*Qu*ry*n*in*` in t** run-ll*m*/ll*m*_in**x r*pository *llows *or SQL inj**tion vi* prompt inj**tion. T*is **n l*** to *r*itr*ry *il* *r**tion *n* **ni*l-o*-S*rvi** (*oS) *tt**ks. T*

Reasoning

T** vuln*r**ility st*ms *rom SQL inj**tion in JSON*lyz*Qu*ry*n*in*'s `****ult_json*lyz*r` *un*tion, *s *on*irm** *y *V*/**S* **s*riptions. T** *un*tion's SQL qu*ry *onstru*tion wit* untrust** input (vi* prompt inj**tion) *llows *x**ution o* *r*itr*ry