Miggo Logo
Miggo Vulnerability Database
CVE-2024-45201

CVE-2024-45201: LlamaIndex includes an exec call for `import {cls_name}`

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-45201
GHSA ID
GHSA-fxc2-8m62-m85x
EPSS Score
0.48805%
CWE
CWE-94
Published
8/22/2024
Updated
1/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
llama-index-corepip< 0.10.380.10.38

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the removed exec(f'from {module_import_str} import {cls_name}') line in download_integration(). This pattern allows arbitrary code execution if cls_name/module_import_str are controlled by an attacker, matching CWE-94. The commit explicitly removes this exec call as the fix, and all vulnerability descriptions directly reference this code pattern as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in ll*m*_in**x ***or* *.**.**. `*ownlo**/int**r*tion.py` in*lu**s *n *x** **ll *or `import {*ls_n*m*}`.

Reasoning

T** vuln*r**ility st*ms *rom t** r*mov** *x**(*'*rom {mo*ul*_import_str} import {*ls_n*m*}') lin* in *ownlo**_int**r*tion(). T*is p*tt*rn *llows *r*itr*ry *o** *x**ution i* *ls_n*m*/mo*ul*_import_str *r* *ontroll** *y *n *tt**k*r, m*t**in* *W*-**. T*