📄 Description (English)
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
🤖 AI Executive Summary
LlamaIndex versions up to 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine that allows attackers to trigger expensive SQL operations through user-supplied prompts, causing denial-of-service conditions. This vulnerability is particularly critical for Saudi organizations deploying AI-powered database query systems without proper input validation. With exploit code available and affecting widely-used LLM frameworks, immediate patching is essential to prevent service disruptions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 1, 2026 21:54
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi financial institutions (SAMA-regulated banks) using LlamaIndex for AI-powered financial analysis and reporting systems, potentially causing service disruptions during critical trading hours. Government agencies (NCA oversight) deploying LLM-based document processing systems face operational disruption risks. Healthcare organizations using AI-driven clinical decision support systems could experience system unavailability. Energy sector (ARAMCO, SEC) and telecommunications (STC, Mobily) companies leveraging LlamaIndex for data analytics are vulnerable to resource exhaustion attacks. The vulnerability is particularly dangerous in multi-tenant SaaS deployments common in Saudi Arabia where untrusted users can submit prompts.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated institutions)
Government and Public Administration (NCA oversight)
Healthcare and Medical Services
Energy and Petroleum (ARAMCO, SEC)
Telecommunications (STC, Mobily, Zain)
Technology and Software Development
E-commerce and Retail
Insurance and Financial Technology
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running LlamaIndex versions 0.12.2 or earlier by scanning deployment inventories and dependency manifests
2. Isolate affected systems from untrusted user input sources or implement strict network access controls
3. Enable database query logging and monitoring for unusual SQL patterns
PATCHING GUIDANCE:
1. Upgrade LlamaIndex to version 0.12.3 or later immediately
2. For VannaPack implementations, update to the patched version that includes query execution limits
3. Test patches in non-production environments before deployment
4. Implement automated dependency scanning to prevent future vulnerable versions
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement database query timeouts (set max_execution_time to 30 seconds or less)
2. Configure database connection pooling with resource limits
3. Implement rate limiting on custom_query() API endpoints (max 10 requests per minute per user)
4. Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in prompts
5. Restrict database user permissions to read-only access where possible
6. Implement CPU and memory limits at container/process level using cgroups or similar mechanisms
DETECTION RULES:
1. Monitor for SQL queries with execution time exceeding 60 seconds
2. Alert on database CPU usage spikes correlating with custom_query() calls
3. Track memory consumption patterns in LlamaIndex processes
4. Log all prompts submitted to custom_query() for forensic analysis
5. Monitor for repeated failed or timeout queries from same user/IP
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات LlamaIndex 0.12.2 أو أقدم من خلال مسح قوائم الجرد والمكتبات المعتمدة
2. عزل الأنظمة المتأثرة عن مصادر المدخلات غير الموثوقة أو تطبيق عناصر تحكم صارمة في الوصول إلى الشبكة
3. تفعيل تسجيل الاستعلامات وقواعد البيانات ومراقبة أنماط SQL غير العادية
إرشادات التصحيح:
1. ترقية LlamaIndex إلى الإصدار 0.12.3 أو أحدث على الفور
2. لتطبيقات VannaPack، قم بالتحديث إلى الإصدار المصحح الذي يتضمن حدود تنفيذ الاستعلام
3. اختبر التصحيحات في بيئات غير الإنتاج قبل النشر
4. تطبيق المسح التلقائي للمكتبات المعتمدة لمنع الإصدارات الضعيفة في المستقبل
عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكنًا):
1. تطبيق مهلات زمنية لاستعلامات قاعدة البيانات (تعيين max_execution_time إلى 30 ثانية أو أقل)
2. تكوين تجميع اتصالات قاعدة البيانات بحدود الموارد
3. تطبيق تحديد معدل على نقاط نهاية API custom_query() (بحد أقصى 10 طلبات في الدقيقة لكل مستخدم)
4. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط حقن SQL في الموجهات
5. تقييد أذونات مستخدم قاعدة البيانات للوصول للقراءة فقط حيث أمكن
6. تطبيق حدود CPU والذاكرة على مستوى الحاوية/العملية باستخدام cgroups أو آليات مماثلة
قواعد الكشف:
1. مراقبة استعلامات SQL بوقت تنفيذ يتجاوز 60 ثانية
2. تنبيهات على ارتفاع استخدام CPU في قاعدة البيانات المرتبط باستدعاءات custom_query()
3. تتبع أنماط استهلاك الذاكرة في عمليات LlamaIndex
4. تسجيل جميع الموجهات المقدمة إلى custom_query() للتحليل الجنائي
5. مراقبة الاستعلامات المتكررة الفاشلة أو المنتهية من نفس المستخدم/IP
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.12.1.2 - Monitoring and review of system access and resources
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset management and identification
SAMA CSF PR.IP-12 - Software development and quality assurance
SAMA CSF DE.CM-1 - Detection and analysis of anomalies
SAMA CSF RS.MI-2 - Incident response and recovery procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.12.2.1 - Change management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Secure development policy
ISO 27001:2022 A.8.1.1 - Inventory of assets
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.3.1 - Vulnerability identification and remediation
PCI DSS 11.2 - Vulnerability scanning
🔗 References & Sources 4
🔗
https://github.com/run-llama/llama_index
disclosure@vulncheck.com
Product
🔗
https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f
disclosure@vulncheck.com
Exploit
Third Party Advisory
🔗
https://www.llamaindex.ai/
disclosure@vulncheck.com
Product
🔗
https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-r...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
llamaindex:llamaindex