CVE-2024-12909: 
Python vulnerability analysis and mitigation

A critical SQL injection vulnerability was discovered in the FinanceChatLlamaPack component of the run-llama/llamaindex repository, affecting versions up to v0.12.3. The vulnerability was assigned CVE-2024-12909 and was disclosed on March 20, 2025. The vulnerability exists in the run_sql_query function of the `databaseagent` component (NVD).

The vulnerability allows attackers to perform SQL injection attacks through the run_sql_query function in the database_agent component. The issue is particularly severe as it can lead to remote code execution (RCE) through PostgreSQL's large object functionality. The vulnerability has received a CVSS v3.0 base score of 10.0 (CRITICAL) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating the highest possible severity level (NVD).

The vulnerability's impact is severe as it allows attackers to inject arbitrary SQL queries, which can lead to remote code execution through PostgreSQL's large object functionality. Given the CVSS score of 10.0, this indicates potential complete compromise of the affected system's confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in version 0.3.0 of the FinanceChatLlamaPack. Users are strongly advised to upgrade to this version or later to mitigate the risk (NVD).