AI Threat Alert AI Threat Alert

CVE-2025-1793: llama_index: SQL injection in vector store integrations

GHSA-v3c8-3pr6-gr7p CRITICAL PoC AVAILABLE CISA: ATTEND
Published June 5, 2025
CISO Take

Critical SQL injection (CVSS 9.8) in llama_index vector store integrations allows unauthenticated attackers to read and write data across tenant boundaries in any web application built on this framework. If your RAG pipelines or AI agents use llama_index with SQL-backed vector stores and are internet-exposed, treat this as an active breach risk now. Upgrade to llama_index 0.12.28 immediately and audit all SQL-backed vector store configurations.

Risk Assessment

CVSS 9.8 with no authentication, no user interaction, and network-level exploitation makes this the highest-priority patch in any llama_index deployment. EPSS of 0.0002 indicates no confirmed active exploitation yet — but the attack surface is large and the technique is trivial. Blast radius is deployment-dependent: multi-tenant SaaS platforms using llama_index face severe cross-tenant data exposure risk, while internal single-tenant deployments face reduced but non-zero exposure. Both read and write capability means full data compromise and RAG poisoning are within scope of a single exploit.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llama-index pip < 0.12.28 0.12.28
49.3K 229 dependents Pushed yesterday 87% patched ~50d to patch Full package profile →

Do you use llama-index? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. IMMEDIATE

    Upgrade llama-index to >= 0.12.28 (pip install 'llama-index>=0.12.28'). Verify with pip show llama-index.

  2. AUDIT

    Identify all llama_index deployments using SQL-backed vector stores — check VectorStoreIndex configurations for PostgreSQL, MySQL, or other SQL backends.

  3. DETECTION

    Review database logs for anomalous SQL patterns, UNION-based queries, or unexpected cross-user data access around the exposure window.

  4. WORKAROUND (if patch not immediately possible): Place llama_index API endpoints behind authentication and restrict access to trusted users only; deploy WAF rules targeting SQL injection patterns on AI query endpoints.

  5. POST-PATCH: Audit vector store contents for injected or tampered entries that could poison RAG retrieval.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Supply Chain Framework RAG AML.T0010.001 AML.T0025 AML.T0049 AML.T0070 AML.T0085.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.8 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Risk Treatment — AI Risks Addressed
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-1793?

Critical SQL injection (CVSS 9.8) in llama_index vector store integrations allows unauthenticated attackers to read and write data across tenant boundaries in any web application built on this framework. If your RAG pipelines or AI agents use llama_index with SQL-backed vector stores and are internet-exposed, treat this as an active breach risk now. Upgrade to llama_index 0.12.28 immediately and audit all SQL-backed vector store configurations.

Is CVE-2025-1793 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1793, increasing the risk of exploitation.

How to fix CVE-2025-1793?

1. IMMEDIATE: Upgrade llama-index to >= 0.12.28 (pip install 'llama-index>=0.12.28'). Verify with pip show llama-index. 2. AUDIT: Identify all llama_index deployments using SQL-backed vector stores — check VectorStoreIndex configurations for PostgreSQL, MySQL, or other SQL backends. 3. DETECTION: Review database logs for anomalous SQL patterns, UNION-based queries, or unexpected cross-user data access around the exposure window. 4. WORKAROUND (if patch not immediately possible): Place llama_index API endpoints behind authentication and restrict access to trusted users only; deploy WAF rules targeting SQL injection patterns on AI query endpoints. 5. POST-PATCH: Audit vector store contents for injected or tampered entries that could poison RAG retrieval.

What systems are affected by CVE-2025-1793?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, vector databases, agent frameworks, LLM application frameworks, multi-tenant AI platforms.

What is the CVSS score for CVE-2025-1793?

CVE-2025-1793 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.

Exploitation Scenario

An unauthenticated attacker targeting a multi-tenant RAG platform built on llama_index sends a crafted query containing SQL injection payloads to the application's document search or retrieval endpoint. The malicious input passes through llama_index's vector store integration unsanitized and is interpolated directly into a SQL query. Using UNION-based SQL injection, the attacker dumps the full contents of the vector store — including document chunks indexed for other tenants — exfiltrating proprietary data, PII, or credentials embedded in indexed documents. In a second phase, the attacker uses the write path to inject poisoned document chunks into the vector store, causing the RAG system to return attacker-controlled content to victim users and silently manipulating AI-generated outputs.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 5, 2025
Last Modified
June 6, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2024-12909 10.0

llama-index finchat: SQL injection enables RCE

Same package: llama-index
CRITICAL CVE-2024-11958 9.8

llama-index DuckDB retriever: SQLi enables RCE

Same package: llama-index
HIGH CVE-2025-1753 7.8

llama-index-cli: OS command injection enables RCE

Same package: llama-index
HIGH CVE-2025-3225 7.5

llama-index Papers Loader: XML expansion DoS

Same package: llama-index
HIGH CVE-2025-3046 7.5

LlamaIndex Obsidian: symlink traversal exposes host files

Same package: llama-index
Back to Threat Feed