CVE-2024-4181
RunGptLLM class in LlamaIndex has a command injection
8.8
HIGH
CVSS 3.1
EPSS 1.6%
Description
A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models (LLMs). The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised LLM hosting provider to execute arbitrary commands on the client's machine. This issue was fixed in version 0.10.13. The exploitation of this vulnerability could lead to a hosting provider gaining full control over client machines.
How to fix CVE-2024-4181
To remediate CVE-2024-4181, upgrade the affected package to a fixed version below.
- —upgrade to 0.10.13 or later
- —upgrade to 0.1.3 or later
Is CVE-2024-4181 being exploited?
Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.10.13
- from 0, < 0.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |