CVE-2024-3098

Published: Apr 10, 2024Modified: Jun 17, 2026Deferred

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: security@huntr.dev (Secondary)

Description

A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475

Source: security@huntr.dev

https://huntr.com/bounties/1bce0d61-ad03-4b22-bc32-8f99f92974e7

Source: security@huntr.dev

https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475

Source: af854a3a-2127-422b-91ae-364da2661108

https://huntr.com/bounties/1bce0d61-ad03-4b22-bc32-8f99f92974e7

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.