- Description
- An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE).
- Source
- security@huntr.dev
- NVD status
- Awaiting Analysis
CVSS 3.0
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@huntr.dev
- CWE-89
- Hype score
- Not currently trending
CVE-2025-1750 SQL Injection in LlamaIndex DuckDBVectorStore Delete Function Enables File Read/Write https://t.co/oQXJu1umg1
@VulmonFeeds
2 Jun 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical SQL injection in run-llama/llama_index v0.12.19 (CVE-2025-1750) enables RCE via DuckDBVectorStore. Patch now! Details: https://t.co/oflAoodkVh #OffSeq #CVE20251750 #SQLi #RCE #Cybersecurity https://t.co/BRBB1OHNt2
@offseq
2 Jun 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-1750 An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to ma… https://t.co/eUpWIslotU
@CVEnew
2 Jun 2025
164 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-1750: CRITICAL] Critical SQL injection vulnerability found in DuckDBVectorStore delete function in llama_index v0.12.19. Attackers can exploit to access server files and execute code. #cybersecurity#cve,CVE-2025-1750,#cybersecurity https://t.co/VWNaEtP5cQ https://t.co/E
@CveFindCom
2 Jun 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes