Sign in Subscribe
CVE

How to RCE via SQL injection DuckDB(CVE-2025-1750)

chiencp

3 min read
How to RCE via SQL injection DuckDB(CVE-2025-1750)

Product Overview

LlamaIndex (formerly known as GPT Index) is a framework that facilitates the integration of Large Language Models (LLMs) with unstructured data such as text documents, databases, APIs, and other information sources. It helps organize, index, and retrieve data efficiently to enhance the performance and accuracy of AI models.

Vulnerability Summary

SQL Injection occurs from an unsafe DELETE query, allowing an attacker to perform arbitrary file read/write and Remote Code Execution (RCE) in LlamaIndex (v0.12.19).

Vulnerability Detail

My report in huntr (a vulnerability disclosure program for the AI/ML supply chain):

huntr - The world’s first bug bounty platform for AI/ML
The world’s first bug bounty platform for AI/ML
The world’s first bug bounty platform for AI/ML

I have a habit of reading reports on Huntr and analyzing them to expand my knowledge and discover new vulnerabilities. Recently, a few reports on Huntr about SQL Injection in LlamaIndex caught my attention. After reading those reports, I decided to try my luck by looking for similar vulnerabilities on that platform.

And this is the report that inspired me:

huntr - The world’s first bug bounty platform for AI/ML
The world’s first bug bounty platform for AI/ML
The world’s first bug bounty platform for AI/ML

SQL

First, I downloaded the source code of LlamaIndex and started analyzing it. My goal was to identify SQL Insert vulnerabilities, so I searched for keywords related to SQL queries such as "SELECT, INSERT, DELETE,..." or searched for functions that execute specific SQL queries here is the string "_conn.execute"

To simplify the search you can use vscode but what I like better is to use semgrep.

After searching, I discovered a query that uses string concatenation and allows user-controlled input. Without a doubt, this can lead to SQL Injection. The vulnerable code is located here.

 def delete(self, ref_doc_id: str, **delete_kwargs: Any) -> None:
        """
        Delete nodes using with ref_doc_id.

        Args:
            ref_doc_id (str): The doc_id of the document to delete.

        """
        _ddb_query = f"""
            DELETE FROM {self.table_name}
            WHERE json_extract_string(metadata_, '$.ref_doc_id') = '{ref_doc_id}';
            """
        if self.database_name == ":memory:":
            self._conn.execute(_ddb_query)
        else:
            with DuckDBLocalContext(self._database_path) as _conn:
                _conn.execute(_ddb_query)

At this point I have achieved SQLi exploitation, next I want to increase the impact of the vulnerability by achieving RCE.

RCE

While reviewing the DuckDB documentation, I identified several potential vectors that could lead to Remote Code Execution (RCE). Below, I’ll outline a few possible approaches for achieving RCE.

  1. Rce via shellfs extension
  2. You can write an SSH key to the ~/.ssh/authorized_keys directory
  3. You can use MySQL extension or 1 extension in the list below to create a connection to your own DB from which you can read files on the victim's system and write to your DB.
    https://duckdb.org/docs/stable/core_extensions/mysql

Proof-of-Concept

poc_llma.mp4
Google Docs

Final Thought

Try harder !!!