Breachwire.riscent

Breach report

The LlamaIndex safe_eval class: underscore-blocklist bypasses, exec on class names, and prompt-driven SQL injection

AI & LLM BreachesCritical (RCE) / High (SQLi)CVE-2024-3271, CVE-2024-45201, CVE-2025-1793, CVE-2024-30982024-04
The bottom lineLlamaIndex repeatedly let prompt-influenced strings reach code evaluators and database queries — a blocklist that missed underscore-free payloads, an exec on an attacker class name, and an unparameterized vector-store delete — yielding RCE and SQL injection.
Category
AI & LLM Breaches
Type
Vulnerability class · Multiple CVEs (LlamaIndex)
Date
2024-04
Severity
Critical (RCE) / High (SQLi)
OWASP
LLM05 Improper Output Handling; LLM01 Prompt Injection
CWE / CVE
CWE-94; CWE-89 CVE-2024-3271, CVE-2024-45201, CVE-2025-1793, CVE-2024-3098

What happened

LlamaIndex is a leading data framework for connecting LLMs to private data. Across 2024 and 2025 the same weakness recurred: prompt-influenced strings reached code evaluation or query construction.

  • CVE-2024-3098 — the exec_utils/safe_eval path (used by the Pandas query engine) could be bypassed via prompt injection, giving arbitrary code execution; it circumvented an earlier fix (CVE-2023-39662). Affected llama-index before 0.10.24; reported April 10, 2024, CVSS 9.8 (CWE-94).
  • CVE-2024-3271 — the safe_eval mechanism checked LLM-generated code for underscores to block unsafe calls; an attacker could craft underscore-free input that still executed OS commands. Fixed in 0.10.24; published April 16, 2024, CVSS 9.8.
  • CVE-2024-45201download/integration.py called exec on a cls_name variable an attacker could inject, giving arbitrary code execution. Affected versions before 0.10.38; disclosed August 22, 2024, CVSS 8.7.
  • CVE-2025-1793vector_store.delete() across eight vector-store integrations (ClickHouse, Couchbase, DeepLake, Jaguar, Lantern, Nile, OracleDB, SingleStoreDB) built unsanitized SQL, so a prompt could drive an injection such as delete("project:X' OR 1=1 --"). Fixed in LlamaIndex 0.12.28; published June 9, 2025.

Root cause

Blocklists and unparameterized queries stood in for real isolation. The safe_eval guard tried to enumerate dangerous syntax (underscores) instead of refusing to evaluate untrusted input at all — and enumeration always loses. The vector-store deletes concatenated LLM-influenced values into SQL rather than parameterizing them. Both are OWASP LLM05 Improper Output Handling driven by LLM01 Prompt Injection: CWE-94 code injection and CWE-89 SQL injection.

How it would have been caught

Unit tests that feed safe_eval known bypass payloads (underscore-free, alternate encodings) and assert nothing executes would have flipped red. A SQL-injection test handing vector_store.delete() a ' OR 1=1 -- value and asserting the query is parameterized would have caught CVE-2025-1793. Static analysis on eval/exec/os.system over prompt-derived data catches the rest.

How to prevent it

  • Upgrade to the fixed versions (0.10.24, 0.10.38, 0.12.28 as applicable).
  • Do not evaluate LLM-generated code; if a query engine must run generated code, sandbox it with no shell, no network, and least privilege — never rely on a syntax blocklist.
  • Parameterize every database query; never concatenate model output into SQL.

The Breachwire test (red → green)

Drive each vector for real: an underscore-free payload into the query engine, a hostile cls_name, and a ' OR 1=1 -- delete. Confirm code runs and the injection executes on the vulnerable versions (RED). Upgrade, replace eval with a sandboxed evaluator and parameterize the queries, then confirm the payloads are inert while a legitimate natural-language query and a normal delete still return correct results.