Primary

Context

Run-Llama JSONalyzeQueryEngine SQL Injection Vulnerability Allowing Arbitrary File Creation and Denial-of-Service

Vulnerability

A SQL injection vulnerability has been identified in the 'default_jsonalyzer' function of the 'JSONalyzeQueryEngine' within the run-llama/llama_index repository. This vulnerability arises from prompt injection, allowing for arbitrary file creation on the machine running the tool and potential Denial-of-Service (DoS) attacks. It affects the latest version of the software and has been fixed in version 0.5.1.

Impact

Exploitation of this vulnerability allows for SQL injection, leading to arbitrary file creation and Denial-of-Service (DoS) attacks.

Remediation

Users can update to version 0.5.1 to address this vulnerability. The deprecated 'JSONalyzeQueryEngine' can be replaced with the version from 'llama-index-experimental'.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Run-Llama JSONalyzeQueryEngine SQL Injection Vulnerability Allowing Arbitrary File Creation and Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating