Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-3271

A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.

Published

2024-04-16T00:15:12.017

Last Modified

2025-07-30T00:14:52.717

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-77

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	llamaindex	llamaindex	< 0.10.26	Yes

References

https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475 Patch ([email protected])
https://huntr.com/bounties/9b32490e-7cf9-470e-8d49-ba083ae7a279 Exploit, Third Party Advisory ([email protected])
https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://huntr.com/bounties/9b32490e-7cf9-470e-8d49-ba083ae7a279 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)