CVE-2025-1793: llama_index vulnerable to SQL Injection

The vulnerability CVE-2025-1793 affects multiple vector store integrations in llama_index prior to version 0.12.28. The root cause is improper construction of SQL (or SQL-like, e.g., N1QL for Couchbase, TQL for DeepLake) queries, primarily due to direct string concatenation or interpolation of user-supplied data or configurable identifiers (like table names, field names, document IDs, filter values, or search terms) into query strings without adequate sanitization or the use of parameterized queries. This allowed attackers to inject malicious SQL fragments, potentially leading to unauthorized data access (read/write) or other unintended database operations. The patches address these issues by implementing robust input sanitization (e.g., _sanitize_input, escape_str, __sanitize_value, __sanitize_identifier), switching to parameterized queries where available, and adding validation for identifiers used in query construction (e.g., for table and column names during initialization). The affected functions are typically those involved in adding, deleting, or querying data within each vector store, including helper methods that construct parts of these queries (e.g., _append_meta_filter_condition, _build_text_search_statement, _create_where_clause, __generate_where_clause). Initialization methods (__init__) are also implicated where they accept and store unvalidated identifiers used later in query construction.