CNNVD-202601-1885 Information
CNNVD ID
CNNVD-202601-1885
Related CVE
- CNNVD Published: 2026-01-12
Description (Chinese)
LlamaIndex是LlamaIndex开源的一个 LLM 应用程序的数据框架。 LlamaIndex 0.11.6及之前版本存在代码问题漏洞,该漏洞源于BGEM3Index.load_from_disk函数使用pickle.load反序列化用户提供的文件且未经验证,可能导致任意代码执行。
Description (English)
LlamaIndex is a data frame for an LLM application that is an open source for LlamaIndex. LlamaIndex 0.11.6 and previous versions had a code problem loophole, which stemmed from the fact that the BGEM3Index.load from dissk function used and was unverified as a file provided by a pickle.load back-sequencing user and could result in arbitrary code execution.
Hazard Level
Medium
Vulnerability Type
代码问题
Affected Vendor
LlamaIndex
Published
2026-01-12
Last Modified
2026-02-24
References
https://github.com/run-llama/llama_index https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12 https://www.llamaindex.ai/ https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization https://access.redhat.com/security/cve/cve-2024-14021
Patch
https://github.com/run-llama/llama_index/releases
Share on: