{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0.12.19"
              },
              {
                "fixed": "0.12.21"
              }
            ]
          },
          "events": [
            {
              "introduced": "c80992f18461f86695162a1a5f8333ac5b6d6453"
            },
            {
              "fixed": "663e663e869889afdb4bfadde06fed306586d29e"
            },
            {
              "fixed": "369a2942df2efcf6b74461c45d20a0af1fbe4ae2"
            }
          ],
          "repo": "https://github.com/run-llama/llama_index",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llama_index version v0.12.19. This vulnerability allows an attacker to manipulate the ref_doc_id parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code execution (RCE).",
  "id": "CVE-2025-1750",
  "modified": "2026-03-10T21:47:22.540679637Z",
  "published": "2025-06-02T10:15:20.557Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/run-llama/llama_index/commit/369a2942df2efcf6b74461c45d20a0af1fbe4ae2"
    },
    {
      "type": "EVIDENCE",
      "url": "https://huntr.com/bounties/e1302233-9180-4269-9047-1526247d2cd8"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}