CVE-2024-58339: LlamaIndex Resource Exhaustion

CISO Take

CVE-2024-58339 is a no-auth network-exploitable DoS in LlamaIndex's VannaQueryEngine that allows any user with prompt access to trigger unbounded SQL execution, exhausting backend database CPU and memory. If you're running LlamaIndex ≤0.12.2 with the VannaPack integration in a multi-tenant or internet-exposed deployment, treat this as urgent—disable the VannaQueryEngine or enforce database-level query timeouts and resource quotas immediately. No confirmed patch version exists yet; compensating controls at the database layer are your primary defense.

What is the risk?

High risk for any organization exposing LlamaIndex's VannaQueryEngine to untrusted users. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means exploitation requires minimal effort—no credentials, no user interaction, no special conditions. Blast radius is limited to availability (A:H) with no confidentiality or integrity impact, but a successful attack can render the entire application or backend database unavailable. Risk is elevated in SaaS or multi-tenant AI applications where natural language query interfaces are customer-facing.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LlamaIndex	pip	—	No patch
50.2K Pushed 3d ago 0% patched Full package profile →

Do you use LlamaIndex? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 43% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

Immediate: Audit all LlamaIndex deployments for VannaPack/VannaQueryEngine usage.
Workaround: Implement database-level query timeouts (e.g., statement_timeout in PostgreSQL, max_execution_time in MySQL) and connection pool limits.
Compensating control: If VannaQueryEngine is exposed to untrusted users, disable it or gate it behind authentication with per-user query rate limiting and quotas.
Detection: Monitor for long-running SQL queries originating from the LlamaIndex service account; alert on queries exceeding 10-30 seconds or breaching CPU/memory thresholds.
Patch: Monitor upstream (run-llama/llama_index) for a fixed release beyond 0.12.2 and prioritize upgrading.
Architecture hardening: Sandbox SQL execution against a read-only replica with enforced resource limits and restrict the database account to SELECT-only permissions.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Code Execution Framework Agent AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0051.000 - Direct AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system operation and monitoring Clause 8.4 - AI System Operation

NIST AI RMF

GOVERN 6.1 - Policies and processes to address AI risks MANAGE 2.2 - Risk Treatment and Response

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-58339?

CVE-2024-58339 is a no-auth network-exploitable DoS in LlamaIndex's VannaQueryEngine that allows any user with prompt access to trigger unbounded SQL execution, exhausting backend database CPU and memory. If you're running LlamaIndex ≤0.12.2 with the VannaPack integration in a multi-tenant or internet-exposed deployment, treat this as urgent—disable the VannaQueryEngine or enforce database-level query timeouts and resource quotas immediately. No confirmed patch version exists yet; compensating controls at the database layer are your primary defense.

Is CVE-2024-58339 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-58339, increasing the risk of exploitation.

How to fix CVE-2024-58339?

1. Immediate: Audit all LlamaIndex deployments for VannaPack/VannaQueryEngine usage. 2. Workaround: Implement database-level query timeouts (e.g., statement_timeout in PostgreSQL, max_execution_time in MySQL) and connection pool limits. 3. Compensating control: If VannaQueryEngine is exposed to untrusted users, disable it or gate it behind authentication with per-user query rate limiting and quotas. 4. Detection: Monitor for long-running SQL queries originating from the LlamaIndex service account; alert on queries exceeding 10-30 seconds or breaching CPU/memory thresholds. 5. Patch: Monitor upstream (run-llama/llama_index) for a fixed release beyond 0.12.2 and prioritize upgrading. 6. Architecture hardening: Sandbox SQL execution against a read-only replica with enforced resource limits and restrict the database account to SELECT-only permissions.

What systems are affected by CVE-2024-58339?

This vulnerability affects the following AI/ML architecture patterns: NL2SQL pipelines, agent frameworks, LLM application backends, AI-assisted data analytics platforms.

What is the CVSS score for CVE-2024-58339?

CVE-2024-58339 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

NL2SQL pipelinesagent frameworksLLM application backendsAI-assisted data analytics platforms

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

AML.T0051.000 Direct

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 9, Article 15

ISO 42001: A.6.2.5, Clause 8.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM04, LLM10:2025

What are the technical details?

Original Advisory

LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().

Exploitation Scenario

An attacker accessing a public-facing AI analytics chatbot powered by LlamaIndex's VannaQueryEngine submits crafted natural language prompts designed to generate expensive SQL—e.g., 'Show me all combinations of users and products across all time periods' (triggering a cross-join on large tables) or deeply nested correlated subqueries with no index coverage. Because vn.run_sql() executes these without timeout or resource limits, each query consumes significant CPU and memory on the backend database. By submitting a moderate number of concurrent requests, or a single sufficiently expensive query, the attacker exhausts database resources and causes denial of service for all legitimate users. No credentials or prior schema knowledge are required—Vanna infers schema from model context automatically.

Weaknesses (CWE)

CWE-770 Allocation of Resources Without Limits or Throttling Primary

CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

[Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
[Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Source: MITRE CWE corpus.