AI Threat Alert
CVE-2024-58339
HIGHCVE-2024-58339 is a no-auth network-exploitable DoS in LlamaIndex's VannaQueryEngine that allows any user with prompt access to trigger unbounded SQL execution, exhausting backend database CPU and memory. If you're running LlamaIndex ≤0.12.2 with the VannaPack integration in a multi-tenant or internet-exposed deployment, treat this as urgent—disable the VannaQueryEngine or enforce database-level query timeouts and resource quotas immediately. No confirmed patch version exists yet; compensating controls at the database layer are your primary defense.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| llamaindex | pip | — | No patch |
Do you use llamaindex? You're affected.
Severity & Risk
Recommended Action
- 1. Immediate: Audit all LlamaIndex deployments for VannaPack/VannaQueryEngine usage. 2. Workaround: Implement database-level query timeouts (e.g., statement_timeout in PostgreSQL, max_execution_time in MySQL) and connection pool limits. 3. Compensating control: If VannaQueryEngine is exposed to untrusted users, disable it or gate it behind authentication with per-user query rate limiting and quotas. 4. Detection: Monitor for long-running SQL queries originating from the LlamaIndex service account; alert on queries exceeding 10-30 seconds or breaching CPU/memory thresholds. 5. Patch: Monitor upstream (run-llama/llama_index) for a fixed release beyond 0.12.2 and prioritize upgrading. 6. Architecture hardening: Sandbox SQL execution against a read-only replica with enforced resource limits and restrict the database account to SELECT-only permissions.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
Exploitation Scenario
An attacker accessing a public-facing AI analytics chatbot powered by LlamaIndex's VannaQueryEngine submits crafted natural language prompts designed to generate expensive SQL—e.g., 'Show me all combinations of users and products across all time periods' (triggering a cross-join on large tables) or deeply nested correlated subqueries with no index coverage. Because vn.run_sql() executes these without timeout or resource limits, each query consumes significant CPU and memory on the backend database. By submitting a moderate number of concurrent requests, or a single sufficiently expensive query, the attacker exhausts database resources and causes denial of service for all legitimate users. No credentials or prior schema knowledge are required—Vanna infers schema from model context automatically.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H