llama-index@0.9.12a2 vulnerabilities

Interface between LLMs and your data

latest version

0.10.37
first published

a year ago
latest version published

2 days ago
licenses detected
- MIT
  [0,)
View llama-index package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the llama-index package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Command Injection llama-index is an Interface between LLMs and your data Affected versions of this package are vulnerable to Command Injection due to the `safe_eval` function. An attacker can execute arbitrary code on the server hosting the application by crafting input that, while not containing an underscore, still results in the execution of OS commands. How to fix Command Injection? Upgrade `llama-index` to version 0.10.24 or higher.	[,0.10.24)
H SQL Injection llama-index is an Interface between LLMs and your data Affected versions of this package are vulnerable to SQL Injection via the Text-to-SQL feature in `NLSQLTableQueryEngine`, `SQLTableRetrieverQueryEngine`, `NLSQLRetriever`, `RetrieverQueryEngine` and `PGVectorSQLQueryEngine`. An attacker can manipulate or corrupt database contents by injecting SQL commands into the English language input. How to fix SQL Injection? There is no fixed version for `llama-index`.	[0,)

Command Injection

llama-index is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Command Injection due to the safe_eval function. An attacker can execute arbitrary code on the server hosting the application by crafting input that, while not containing an underscore, still results in the execution of OS commands.

How to fix Command Injection?

Upgrade llama-index to version 0.10.24 or higher.

[,0.10.24)

SQL Injection

llama-index is an Interface between LLMs and your data

Affected versions of this package are vulnerable to SQL Injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine and PGVectorSQLQueryEngine. An attacker can manipulate or corrupt database contents by injecting SQL commands into the English language input.

How to fix SQL Injection?

There is no fixed version for llama-index.

[0,)

Go back to all versions of this package

llama-index@0.9.12a2 vulnerabilities

Interface between LLMs and your data

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities