AI Threat Alert AI Threat Alert

CVE-2024-58339: llamaindex: Resource Exhaustion enables DoS

HIGH PoC AVAILABLE CISA: TRACK*
Published January 12, 2026
CISO Take

CVE-2024-58339 is a no-auth network-exploitable DoS in LlamaIndex's VannaQueryEngine that allows any user with prompt access to trigger unbounded SQL execution, exhausting backend database CPU and memory. If you're running LlamaIndex ≤0.12.2 with the VannaPack integration in a multi-tenant or internet-exposed deployment, treat this as urgent—disable the VannaQueryEngine or enforce database-level query timeouts and resource quotas immediately. No confirmed patch version exists yet; compensating controls at the database layer are your primary defense.

Risk Assessment

High risk for any organization exposing LlamaIndex's VannaQueryEngine to untrusted users. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means exploitation requires minimal effort—no credentials, no user interaction, no special conditions. Blast radius is limited to availability (A:H) with no confidentiality or integrity impact, but a successful attack can render the entire application or backend database unavailable. Risk is elevated in SaaS or multi-tenant AI applications where natural language query interfaces are customer-facing.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llamaindex pip No patch
49.1K Pushed 8d ago 0% patched Full package profile →

Do you use llamaindex? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

6 steps

  1. Immediate: Audit all LlamaIndex deployments for VannaPack/VannaQueryEngine usage.

  2. Workaround: Implement database-level query timeouts (e.g., statement_timeout in PostgreSQL, max_execution_time in MySQL) and connection pool limits.

  3. Compensating control: If VannaQueryEngine is exposed to untrusted users, disable it or gate it behind authentication with per-user query rate limiting and quotas.

  4. Detection: Monitor for long-running SQL queries originating from the LlamaIndex service account; alert on queries exceeding 10-30 seconds or breaching CPU/memory thresholds.

  5. Patch: Monitor upstream (run-llama/llama_index) for a fixed release beyond 0.12.2 and prioritize upgrading.

  6. Architecture hardening: Sandbox SQL execution against a read-only replica with enforced resource limits and restrict the database account to SELECT-only permissions.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Code Execution Framework Agent AML.T0029 AML.T0034 AML.T0049 AML.T0051.000 AML.T0053

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system operation and monitoring Clause 8.4 - AI System Operation
NIST AI RMF
GOVERN 6.1 - Policies and processes to address AI risks MANAGE 2.2 - Risk Treatment and Response
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-58339?

CVE-2024-58339 is a no-auth network-exploitable DoS in LlamaIndex's VannaQueryEngine that allows any user with prompt access to trigger unbounded SQL execution, exhausting backend database CPU and memory. If you're running LlamaIndex ≤0.12.2 with the VannaPack integration in a multi-tenant or internet-exposed deployment, treat this as urgent—disable the VannaQueryEngine or enforce database-level query timeouts and resource quotas immediately. No confirmed patch version exists yet; compensating controls at the database layer are your primary defense.

Is CVE-2024-58339 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-58339, increasing the risk of exploitation.

How to fix CVE-2024-58339?

1. Immediate: Audit all LlamaIndex deployments for VannaPack/VannaQueryEngine usage. 2. Workaround: Implement database-level query timeouts (e.g., statement_timeout in PostgreSQL, max_execution_time in MySQL) and connection pool limits. 3. Compensating control: If VannaQueryEngine is exposed to untrusted users, disable it or gate it behind authentication with per-user query rate limiting and quotas. 4. Detection: Monitor for long-running SQL queries originating from the LlamaIndex service account; alert on queries exceeding 10-30 seconds or breaching CPU/memory thresholds. 5. Patch: Monitor upstream (run-llama/llama_index) for a fixed release beyond 0.12.2 and prioritize upgrading. 6. Architecture hardening: Sandbox SQL execution against a read-only replica with enforced resource limits and restrict the database account to SELECT-only permissions.

What systems are affected by CVE-2024-58339?

This vulnerability affects the following AI/ML architecture patterns: NL2SQL pipelines, agent frameworks, LLM application backends, AI-assisted data analytics platforms.

What is the CVSS score for CVE-2024-58339?

CVE-2024-58339 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.12%.

Technical Details

NVD Description

LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().

Exploitation Scenario

An attacker accessing a public-facing AI analytics chatbot powered by LlamaIndex's VannaQueryEngine submits crafted natural language prompts designed to generate expensive SQL—e.g., 'Show me all combinations of users and products across all time periods' (triggering a cross-join on large tables) or deeply nested correlated subqueries with no index coverage. Because vn.run_sql() executes these without timeout or resource limits, each query consumes significant CPU and memory on the backend database. By submitting a moderate number of concurrent requests, or a single sufficiently expensive query, the attacker exhausts database resources and causes denial of service for all legitimate users. No credentials or prior schema knowledge are required—Vanna infers schema from model context automatically.

Weaknesses (CWE)

CWE-770 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
January 12, 2026
Last Modified
January 21, 2026
First Seen
January 12, 2026

Related Vulnerabilities

CRITICAL CVE-2024-23751 9.8

LlamaIndex: SQL injection in Text-to-SQL feature

Same package: llamaindex
HIGH CVE-2024-14021 7.8

llamaindex: Deserialization enables RCE

Same package: llamaindex
HIGH CVE-2024-12704 7.5

llama-index: DoS via infinite loop in LangChain LLM

Same package: llamaindex
HIGH CVE-2024-12911 7.1

llama-index: SQLi+DoS via prompt injection in query engine

Same package: llamaindex
UNKNOWN CVE-2024-4181

llama_index: RCE via eval() in RunGptLLM connector

Same package: llamaindex
Back to Threat Feed