Vulnerability	Vulnerable Version
H Improper Handling of Exceptional Conditions llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the `stream_complete` method of the `LangChainLLM` class. An attacker can disrupt service availability by providing an input of type integer instead of a string and causing an error in the `stream` function where the thread terminates due to the error, but the process continues to run. How to fix Improper Handling of Exceptional Conditions? Upgrade `llama-index-core` to version 0.12.6 or higher.	[,0.12.6)
H SQL Injection llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to SQL Injection in the `default_jsonalyzer()` function, which may allow arbitrary file writes or denial of service by occupying database resources. An attacker who can inject SQL into a prompt can cause the SQL commands to be run on the underlying sqlite instance, including `ATTACH FILE` commands, which create files on the filesystem. How to fix SQL Injection? Upgrade `llama-index-core` to version 0.12.3 or higher.	[,0.12.3)
C Improper Control of Generation of Code ('Code Injection') llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to insufficient validation of input in the `exec_utils` class, specifically within the `safe_eval` function. An attacker can bypass method restrictions and execute unauthorized code by exploiting the flaw. This vulnerability is a bypass of the CVE-2023-39662 fix. How to fix Improper Control of Generation of Code ('Code Injection')? Upgrade `llama-index-core` to version 0.10.24 or higher.	[,0.10.24)

Go back to all versions of this package