CVE-2025-1793: 
Chainguard vulnerability analysis and mitigation

CVE-2025-1793 affects multiple vector store integrations in run-llama/llamaindex version v0.12.21. The vulnerability was discovered and disclosed on June 5, 2025. This SQL injection vulnerability impacts various vector store integrations including clickhouse, couchbase, deeplake, jaguar, lantern, nile, oracledb, and singlestoredb (NVD, [Github Commit](https://github.com/run-llama/llamaindex/commit/0008041e8dde8e519621388e5d6f558bde6ef42e)).

The vulnerability is classified as SQL injection (CWE-89) and has been assigned a CVSS v3.0 base score of 9.8 (CRITICAL). The CVSS vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates network accessibility, low attack complexity, no privileges required, and high impact across confidentiality, integrity, and availability (NVD, Wiz).

The vulnerability allows attackers to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application. This presents a significant security risk for applications using the affected vector store integrations (NVD).

A patch has been released in version v0.12.28 that addresses the SQL injection vulnerabilities across multiple vector stores including clickhouse, couchbase, deeplake, jaguar, lantern, nile, oracledb, and singlestoredb integrations. Users are advised to upgrade to this version to mitigate the vulnerability (Github Commit).