Breach report
The LlamaIndex safe_eval class: underscore-blocklist bypasses, exec on class names, and prompt-driven SQL injection
What happened
LlamaIndex is a leading data framework for connecting LLMs to private data. Across 2024 and 2025 the same weakness recurred: prompt-influenced strings reached code evaluation or query construction.
- CVE-2024-3098 — the
exec_utils/safe_evalpath (used by the Pandas query engine) could be bypassed via prompt injection, giving arbitrary code execution; it circumvented an earlier fix (CVE-2023-39662). Affected llama-index before0.10.24; reported April 10, 2024, CVSS 9.8 (CWE-94). - CVE-2024-3271 — the
safe_evalmechanism checked LLM-generated code for underscores to block unsafe calls; an attacker could craft underscore-free input that still executed OS commands. Fixed in0.10.24; published April 16, 2024, CVSS 9.8. - CVE-2024-45201 —
download/integration.pycalledexecon acls_namevariable an attacker could inject, giving arbitrary code execution. Affected versions before0.10.38; disclosed August 22, 2024, CVSS 8.7. - CVE-2025-1793 —
vector_store.delete()across eight vector-store integrations (ClickHouse, Couchbase, DeepLake, Jaguar, Lantern, Nile, OracleDB, SingleStoreDB) built unsanitized SQL, so a prompt could drive an injection such asdelete("project:X' OR 1=1 --"). Fixed in LlamaIndex0.12.28; published June 9, 2025.
Root cause
Blocklists and unparameterized queries stood in for real isolation. The safe_eval guard tried to enumerate dangerous syntax (underscores) instead of refusing to evaluate untrusted input at all — and enumeration always loses. The vector-store deletes concatenated LLM-influenced values into SQL rather than parameterizing them. Both are OWASP LLM05 Improper Output Handling driven by LLM01 Prompt Injection: CWE-94 code injection and CWE-89 SQL injection.
How it would have been caught
Unit tests that feed safe_eval known bypass payloads (underscore-free, alternate encodings) and assert nothing executes would have flipped red. A SQL-injection test handing vector_store.delete() a ' OR 1=1 -- value and asserting the query is parameterized would have caught CVE-2025-1793. Static analysis on eval/exec/os.system over prompt-derived data catches the rest.
How to prevent it
- Upgrade to the fixed versions (
0.10.24,0.10.38,0.12.28as applicable). - Do not evaluate LLM-generated code; if a query engine must run generated code, sandbox it with no shell, no network, and least privilege — never rely on a syntax blocklist.
- Parameterize every database query; never concatenate model output into SQL.
The Breachwire test (red → green)
Drive each vector for real: an underscore-free payload into the query engine, a hostile cls_name, and a ' OR 1=1 -- delete. Confirm code runs and the injection executes on the vulnerable versions (RED). Upgrade, replace eval with a sandboxed evaluator and parameterize the queries, then confirm the payloads are inert while a legitimate natural-language query and a normal delete still return correct results.