CVE-2024-23751 Overview
CVE-2024-23751 is a SQL Injection vulnerability affecting LlamaIndex (also known as llama_index) through version 0.9.34. The vulnerability exists in the Text-to-SQL feature, which is implemented across multiple query engine components including NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. This flaw allows attackers to inject malicious SQL commands through natural language input, potentially leading to unauthorized data access, modification, or deletion.
Critical Impact
Attackers can execute arbitrary SQL commands through natural language input, enabling complete database compromise including data exfiltration, modification, and deletion of critical records.
Affected Products
- LlamaIndex (llama_index) versions through 0.9.34
- NLSQLTableQueryEngine component
- SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine components
Discovery Timeline
- 2024-01-22 - CVE-2024-23751 published to NVD
- 2025-06-20 - Last updated in NVD database
Technical Details for CVE-2024-23751
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) resides in the Text-to-SQL feature of LlamaIndex, a popular framework for building LLM-powered applications. The vulnerability arises from insufficient input validation and sanitization when converting natural language queries into SQL statements. The Text-to-SQL functionality is designed to translate user-provided English language queries into executable SQL commands, but lacks proper safeguards against malicious input that could result in destructive database operations.
The affected components span multiple query engines within the LlamaIndex framework, indicating a fundamental design flaw in how user input is processed before SQL generation. An attacker can craft natural language inputs that, when processed by the vulnerable Text-to-SQL feature, generate malicious SQL statements. For example, a seemingly innocent query like "Drop the Students table" could be interpreted literally, resulting in the execution of a DROP TABLE command against the connected database.
Root Cause
The root cause of CVE-2024-23751 is improper input validation in the natural language processing pipeline that converts user queries to SQL. The Text-to-SQL feature fails to implement adequate controls to distinguish between legitimate data retrieval requests and potentially destructive database operations. The framework lacks semantic analysis to detect and block SQL commands that could modify database schema or delete records, treating all natural language input as trusted and converting it directly to executable SQL without proper sanitization or command whitelisting.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by providing malicious natural language input to any application utilizing the affected LlamaIndex Text-to-SQL components. The attack flow involves:
- Identifying an application using LlamaIndex's Text-to-SQL functionality
- Crafting natural language input containing destructive SQL intent (e.g., "Drop the Students table" or "Delete all records from the Users table")
- Submitting the malicious input through the application's interface
- The vulnerable component translates the input into executable SQL
- The malicious SQL executes against the backend database
The vulnerability is particularly dangerous because it bypasses traditional SQL injection defenses—the input isn't SQL syntax but natural language that gets converted to SQL by the LLM-powered translation layer.
Detection Methods for CVE-2024-23751
Indicators of Compromise
- Unexpected database schema changes such as dropped tables or modified structures
- Unusual DELETE or DROP statements in database query logs
- Natural language queries containing database-specific terminology like "drop", "delete", "truncate", or "alter"
- Sudden data loss or corruption in database tables accessed through LlamaIndex applications
Detection Strategies
- Implement query logging for all Text-to-SQL operations to capture the generated SQL statements before execution
- Deploy database activity monitoring to detect anomalous DDL (Data Definition Language) or destructive DML operations
- Create alerting rules for SQL statements containing DROP, DELETE, TRUNCATE, or ALTER keywords originating from LlamaIndex components
- Monitor application logs for unusual natural language query patterns that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging in LlamaIndex applications to capture both input queries and generated SQL
- Implement real-time database audit trails with alerts for destructive operations
- Deploy application-level monitoring to track the frequency and content of Text-to-SQL requests
- Establish baseline metrics for normal query patterns to identify anomalous behavior
How to Mitigate CVE-2024-23751
Immediate Actions Required
- Upgrade LlamaIndex to a version newer than 0.9.34 that includes patches for this vulnerability
- Audit all applications using LlamaIndex Text-to-SQL features to identify exposure
- Implement database user permissions that restrict destructive operations (DROP, DELETE, TRUNCATE) for accounts used by LlamaIndex
- Review database logs for any signs of past exploitation
Patch Information
The vulnerability was disclosed through the LlamaIndex GitHub Issue #9957. Users should monitor the official LlamaIndex repository for security patches and upgrade to the latest stable release that addresses this SQL injection vulnerability. Review the GitHub issue for detailed patch information and recommended upgrade paths.
Workarounds
- Implement a SQL query allow-list that only permits SELECT statements from Text-to-SQL operations
- Deploy a database proxy or firewall that blocks DDL statements and destructive DML operations from LlamaIndex application connections
- Use read-only database credentials for LlamaIndex Text-to-SQL components where write access is not required
- Add input pre-processing to filter natural language queries containing potentially dangerous keywords before they reach the Text-to-SQL engine
# Example: Create restricted database user for LlamaIndex
# This limits the potential damage from SQL injection
CREATE USER llamaindex_reader WITH PASSWORD 'secure_password';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO llamaindex_reader;
REVOKE INSERT, UPDATE, DELETE, DROP ON ALL TABLES IN SCHEMA public FROM llamaindex_reader;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
