Home

Description

LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().

PUBLISHED Reserved 2026-01-09 | Published 2026-01-12 | Updated 2026-01-12 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status
unknown

Any version
affected

Credits

LifeTeam2024 finder

References

huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f technical-description exploit

www.llamaindex.ai/ product

github.com/run-llama/llama_index third-party-advisory

www.vulncheck.com/...ql-execution-allows-resource-exhaustion third-party-advisory

cve.org (CVE-2024-58339)

nvd.nist.gov (CVE-2024-58339)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.