Description
A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/1bce0d61-ad03-4b22-bc32-8f99f92974e7
Scores
CVSS v3
9.8
EPSS
0.0019
EPSS Percentile
40.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
pypi/llama-index-core
0 - 0.10.24PyPI
run-llama/run-llama/llama_index
unspecified - 0.10.24
Published
Apr 10, 2024
Tracked Since
Feb 18, 2026