CVE-2024-4181 — UNKNOWN AI Security Vulnerability

A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llamaindex	pip	—	No patch

Do you use llamaindex? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.

Weaknesses (CWE)

CWE-94

References

github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba
Patch
huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1
Exploit 3rd Party
github.com/run-llama/llama_index/commit/d73715eaf0642705583e7897c78b9c8dd2d3a7ba
Patch
huntr.com/bounties/1a204520-598a-434e-b13d-0d34f2a5ddc1
Exploit 3rd Party

Timeline

Published

May 16, 2024

Last Modified

October 21, 2025

First Seen

May 16, 2024