CVE-2024-58339
Unknown Unknown - Not Provided
Uncontrolled Resource Consumption in LlamaIndex VannaQueryEngine Causes DoS

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: VulnCheck

Description
LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58339
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
run-llama llama_index to 0.12.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-58339 is a vulnerability in LlamaIndex versions up to 0.12.2 where the VannaPack VannaQueryEngine's custom_query() function generates and executes SQL statements from user-supplied prompts without enforcing any limits on query execution. This allows attackers to create expensive or unbounded SQL operations that consume excessive CPU or memory resources, potentially causing the system to become unresponsive or crash due to resource exhaustion. [3]

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by allowing attackers to exhaust CPU or memory resources through unbounded or expensive SQL queries. In environments where untrusted users can supply prompts, an attacker could exploit this to disrupt service availability, degrade performance, or cause system crashes. [3]

Mitigation Strategies

To mitigate this vulnerability, you should upgrade LlamaIndex to a version later than 0.12.2 where the uncontrolled resource consumption issue in the VannaPack VannaQueryEngine implementation is fixed. Additionally, restrict or validate user-supplied prompts to prevent untrusted users from executing arbitrary or expensive SQL queries via the custom_query() function. Implement monitoring and resource limits on SQL query execution if possible to prevent denial-of-service conditions. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart