Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-12911

CVE-2024-12911: Llamaindex SQLi Vulnerability via Injection

CVE-2024-12911 is a SQL injection flaw in Llamaindex's JSONalyzeQueryEngine that enables prompt injection attacks, leading to arbitrary file creation and DoS. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-12911 Overview

CVE-2024-12911 is a SQL injection vulnerability in the default_jsonalyzer function of the JSONalyzeQueryEngine component within the run-llama/llama_index repository. Attackers can exploit the flaw through prompt injection, coercing the large language model (LLM) into generating malicious SQL statements that the engine executes without adequate validation. Successful exploitation can lead to arbitrary file creation on the host system and Denial-of-Service (DoS) conditions. The issue affects the latest release prior to the fix and is remediated in version 0.5.1, where JSONalyzeQueryEngine was moved to the experimental package. This vulnerability is tracked under CWE-89 and reflects a broader class of risks in LLM-integrated query engines.

Critical Impact

Prompt-injected SQL statements executed by JSONalyzeQueryEngine enable arbitrary file writes and DoS against applications built on llama_index.

Affected Products

  • llamaindex llama_index (all versions prior to 0.5.1 of the affected package)
  • Applications embedding the JSONalyzeQueryEngine from llama_index.core.query_engine
  • LLM pipelines that pass untrusted user input to default_jsonalyzer

Discovery Timeline

  • 2025-03-20 - CVE-2024-12911 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-12911

Vulnerability Analysis

The JSONalyzeQueryEngine converts natural-language questions into SQL queries executed against an in-memory SQLite database built from JSON input. The default_jsonalyzer function accepts LLM-generated SQL and runs it directly, without parameterization or statement-type filtering. When an attacker injects instructions into the prompt, the LLM emits attacker-controlled SQL that the engine then executes. Because SQLite supports functions such as ATTACH DATABASE and writefile, adversaries can create arbitrary files on disk or issue resource-exhausting queries that stall the application.

Root Cause

The root cause is missing neutralization of special elements used in an SQL command [CWE-89], compounded by an implicit trust boundary violation: input flowing from an untrusted user through the LLM is treated as trusted SQL. Neither structural validation nor a read-only execution context is enforced by default_jsonalyzer.

Attack Vector

Exploitation requires an attacker to supply input to a JSONalyzeQueryEngine-backed endpoint and requires user interaction to trigger the query flow. The attacker crafts a prompt that instructs the LLM to emit SQL containing side-effecting statements. The engine executes the statement server-side, producing file writes or long-running queries that degrade availability.

python
# Security patch: relocation to experimental package
 from llama_index.core.query_engine.graph_query_engine import (
     ComposableGraphQueryEngine,
 )
-from llama_index.core.query_engine.jsonalyze_query_engine import (
+from llama_index.core.query_engine.jsonalyze import (
     JSONalyzeQueryEngine,
 )
 from llama_index.core.query_engine.knowledge_graph_query_engine import (

Source: run-llama/llama_index commit bf28207. The patch moves JSONalyzeQueryEngine to an experimental module, signaling that the component should not be used with untrusted input in production paths.

Detection Methods for CVE-2024-12911

Indicators of Compromise

  • Unexpected files written by the application service account, particularly in directories referenced by writefile() or ATTACH DATABASE calls.
  • Application logs showing LLM-generated SQL containing keywords such as ATTACH, PRAGMA, writefile, or multi-statement separators (;) inside a default_jsonalyzer execution path.
  • Sudden spikes in query latency or process memory tied to JSONalyzeQueryEngine invocations.

Detection Strategies

  • Enable verbose logging in JSONalyzeQueryEngine to capture both the user prompt and the generated SQL string prior to execution, then alert on non-SELECT statements.
  • Instrument the Python runtime with audit hooks (sys.addaudithook) to record file creation and sqlite3 connection events originating from the query engine module.
  • Correlate outbound file-write syscalls from the application container against a baseline of expected write paths.

Monitoring Recommendations

  • Track invocations of llama_index.core.query_engine.jsonalyze (or the legacy jsonalyze_query_engine) module in application telemetry.
  • Monitor for repeated failed or malformed SQL executions, which often precede a successful prompt injection.
  • Review web application firewall (WAF) logs for user inputs containing SQL metacharacters, \n-delimited instructions, or role-override phrases targeting the LLM.

How to Mitigate CVE-2024-12911

Immediate Actions Required

  • Upgrade the affected llama_index package to version 0.5.1 or later, where JSONalyzeQueryEngine is relocated to the experimental namespace.
  • Remove JSONalyzeQueryEngine from any production request path that processes untrusted input until compensating controls are in place.
  • Rotate any credentials or secrets that may have been exposed on hosts where arbitrary file creation was possible.

Patch Information

The fix is delivered in commit bf282074, which moves JSONalyzeQueryEngine into an experimental module. Additional context and reproduction details are available in the Huntr bounty report. Apply the upgrade across all environments that ingest user-supplied JSON or natural-language queries.

Workarounds

  • Restrict the SQLite execution context to a read-only connection (mode=ro) and disable dangerous functions such as writefile and ATTACH.
  • Validate LLM-generated SQL with an allowlist parser that rejects any statement other than SELECT before execution in default_jsonalyzer.
  • Run the llama_index worker under a low-privilege user in a sandboxed filesystem to limit the blast radius of arbitrary file writes.
  • Apply prompt-injection defenses such as input sanitization, system-prompt hardening, and output schema validation on the LLM response.
bash
# Pin llama_index to the patched release
pip install --upgrade "llama-index-core>=0.5.1"

# Verify the JSONalyzeQueryEngine now resolves from the experimental path
python -c "from llama_index.core.query_engine.jsonalyze import JSONalyzeQueryEngine; print(JSONalyzeQueryEngine.__module__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.