aisentry Report

Generated: 2026-01-12 12:38:39 UTC

17
Combined Security Score
6
Vulnerability Score
29
Security Posture
2409
Files Scanned
649
Issues Found
70%
Confidence
19.2s
Scan Time

Vulnerabilities (649)

LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-cli/llama_index/cli/rag/base.py:328
LLM output from 'asyncio.run' is used in 'run(' on line 328 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
parser.set_defaults( func=lambda args: asyncio.run( instance_generator().handle_cli(**vars(args)) )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:142
LLM output variable 'result' flows to 'RuntimeError' on line 142 via direct flow. This creates a command_injection vulnerability.
if result.returncode != 0: raise RuntimeError(f"Git command failed: {result.stderr}") return [repo_root / Path(f) for f in result.stdout.splitlines() if f.strip()]
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:78
Function 'find_integrations' on line 78 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def find_integrations(root_path: Path, recursive=False) -> list[Path]: """Find all integrations packages in the repo.""" package_roots: list[Path] = [] integrations_root = root_path if not recursive: integrations_root = integrations_root / "llama-index-integrations" for category_path in integrations_root.iterdir(): if not category_path.is_dir(): continue
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:101
Function 'find_packs' on line 101 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def find_packs(root_path: Path) -> list[Path]: """Find all llama-index-packs packages in the repo.""" package_roots: list[Path] = [] packs_root = root_path / "llama-index-packs" for package_name in packs_root.iterdir(): if is_llama_index_package(package_name): package_roots.append(package_name) return package_roots
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:113
Function 'find_utils' on line 113 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def find_utils(root_path: Path) -> list[Path]: """Find all llama-index-utils packages in the repo.""" package_roots: list[Path] = [] utils_root = root_path / "llama-index-utils" for package_name in utils_root.iterdir(): if is_llama_index_package(package_name): package_roots.append(package_name) return package_roots
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Direct execution of LLM-generated code in 'get_changed_files'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:136
Function 'get_changed_files' on line 136 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
root_path / "llama-index-instrumentation", ] def get_changed_files(repo_root: Path, base_ref: str = "main") -> list[Path]: """Use git to get the list of files changed compared to the base branch.""" try: cmd = ["git", "diff", "--name-only", f"{base_ref}...HEAD"] result = subprocess.run(cmd, cwd=repo_root, text=True, capture_output=True) if result.returncode != 0:
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Critical decision without oversight in 'get_changed_files'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:136
Function 'get_changed_files' on line 136 makes critical data_modification decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
def get_changed_files(repo_root: Path, base_ref: str = "main") -> list[Path]: """Use git to get the list of files changed compared to the base branch.""" try: cmd = ["git", "diff", "--name-only", f"{base_ref}...HEAD"]
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/release/changelog.py:20
LLM output variable 'result' flows to 'RuntimeError' on line 20 via direct flow. This creates a command_injection vulnerability.
if result.returncode != 0: raise RuntimeError(f"Command failed: {command}\n{result.stderr}") return result.stdout.strip()
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Direct execution of LLM-generated code in '_run_command'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/release/changelog.py:15
Function '_run_command' on line 15 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
CHANGELOG_PLACEHOLDER = "<!--- generated changelog --->" def _run_command(command: str) -> str: """Helper to run a shell command and return the output.""" args = shlex.split(command) result = subprocess.run(args, capture_output=True, text=True) if result.returncode != 0: raise RuntimeError(f"Command failed: {command}\n{result.stderr}")
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Direct execution of LLM output in '_run_command'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/release/changelog.py:15
Function '_run_command' on line 15 directly executes LLM-generated code using subprocess.run. This is extremely dangerous and allows arbitrary code execution.
def _run_command(command: str) -> str: """Helper to run a shell command and return the output.""" args = shlex.split(command) result = subprocess.run(args, capture_output=True, text=True)
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:61
LLM output from 'subprocess.run' is used in 'subprocess.' on line 61 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
for package in packages: result = subprocess.run( cmd.split(" "), cwd=package,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:53
LLM output from 'is_llama_index_package' is used in 'subprocess.' on line 53 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
package_path = obj["repo_root"] / package_name if not is_llama_index_package(package_path): raise click.UsageError( f"{package_name} is not a path to a LlamaIndex package"
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:35
Function 'cmd_exec' on line 35 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def cmd_exec( obj: dict, all: bool, package_names: tuple, cmd: str, fail_fast: bool, silent: bool ): if not all and not package_names: raise click.UsageError("Either specify a package name or use the --all flag") console = obj["console"] packages: set[Path] = set() # Do not use the virtual environment calling llama-dev, if any env = os.environ.copy() if "VIRTUAL_ENV" in env:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Direct execution of LLM-generated code in 'cmd_exec'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:35
Function 'cmd_exec' on line 35 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
default=False, help="Only print errors", ) @click.pass_obj def cmd_exec( obj: dict, all: bool, package_names: tuple, cmd: str, fail_fast: bool, silent: bool ): if not all and not package_names: raise click.UsageError("Either specify a package name or use the --all flag")
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Direct execution of LLM output in 'cmd_exec'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:35
Function 'cmd_exec' on line 35 directly executes LLM-generated code using exec(, subprocess.run. This is extremely dangerous and allows arbitrary code execution.
) @click.pass_obj def cmd_exec( obj: dict, all: bool, package_names: tuple, cmd: str, fail_fast: bool, silent: bool ): if not all and not package_names:
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/bump.py:32
Function 'bump' on line 32 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def bump( obj: dict, all: bool, package_names: tuple, version_type: str, dry_run: bool, ): """Bump version for specified packages or all packages.""" console = obj["console"] if not all and not package_names:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'bump'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/bump.py:32
Function 'bump' on line 32 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) @click.pass_obj def bump( obj: dict, all: bool, package_names: tuple,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/info.py:24
Function 'info' on line 24 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def info(obj: dict, all: bool, use_json: bool, package_names: tuple): if not all and not package_names: raise click.UsageError("Either specify a package name or use the --all flag") packages = set() if all: packages = find_all_packages(obj["repo_root"]) else: for package_name in package_names: package_path = obj["repo_root"] / package_name if not is_llama_index_package(package_path):
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:55
LLM output from 'loop.run_until_complete' is used in 'run(' on line 55 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
# If we're here, there's an existing loop but it's not running return loop.run_until_complete(coro) except RuntimeError as e:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:99
LLM output from 'loop.run_until_complete' is used in 'run(' on line 99 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
outputs: List[Any] = asyncio_run(_gather()) return outputs
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:60
LLM output from 'asyncio.run' is used in 'run(' on line 60 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: return asyncio.run(coro) except RuntimeError as e: raise RuntimeError(
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:46
LLM output from 'ctx.run' is used in 'run(' on line 46 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: return ctx.run(new_loop.run_until_complete, coro) finally: new_loop.close()
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Use of pickle for serialization
LLM05: Supply Chain Vulnerabilities HIGH
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/schema.py:8
Import of 'pickle' on line 8. This library can execute arbitrary code during deserialization. File fetches external data - HIGH RISK if deserializing remote content.
import pickle
Remediation
Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/fusion_retriever.py:83
Function '_get_queries' on line 83 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_queries(self, original_query: str) -> List[QueryBundle]: prompt_str = self.query_gen_prompt.format( num_queries=self.num_queries - 1, query=original_query, ) response = self._llm.complete(prompt_str) # Strip code block and assume LLM properly put each query on a newline queries = response.text.strip("`").split("\n") queries = [q.strip() for q in queries if q.strip()] if self._verbose:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/transform_retriever.py:41
User input parameter 'query_bundle' is directly passed to LLM API call 'self._query_transform.run'. This is a high-confidence prompt injection vector.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/transform_retriever.py:41
LLM output variable 'query_bundle' flows to 'self._query_transform.run' on line 41 via direct flow. This creates a command_injection vulnerability.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/transform_retriever.py:40
Function '_retrieve' on line 40 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata ) return self._retriever.retrieve(query_bundle)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/ingestion/pipeline.py:159
LLM output variable 'nodes' flows to 'loop.run_until_complete' on line 159 via direct flow. This creates a command_injection vulnerability.
loop = asyncio.new_event_loop() nodes = loop.run_until_complete( arun_transformations( nodes=nodes,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/ingestion/pipeline.py:160
LLM output variable 'nodes' flows to 'arun_transformations' on line 160 via direct flow. This creates a command_injection vulnerability.
nodes = loop.run_until_complete( arun_transformations( nodes=nodes, transformations=transformations,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/utils.py:151
Function 'embed_nodes' on line 151 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def embed_nodes( nodes: Sequence[BaseNode], embed_model: BaseEmbedding, show_progress: bool = False ) -> Dict[str, List[float]]: """ Get embeddings of the given nodes, run embedding model if necessary. Args: nodes (Sequence[BaseNode]): The nodes to embed. embed_model (BaseEmbedding): The embedding model to use. show_progress (bool): Whether to show progress bar.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/utils.py:187
Function 'embed_image_nodes' on line 187 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def embed_image_nodes( nodes: Sequence[ImageNode], embed_model: MultiModalEmbedding, show_progress: bool = False, ) -> Dict[str, List[float]]: """ Get image embeddings of the given nodes, run image embedding model if necessary. Args: nodes (Sequence[ImageNode]): The nodes to embed. embed_model (MultiModalEmbedding): The embedding model to use.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/tools/function_tool.py:49
LLM output from 'loop.run_in_executor' is used in 'run(' on line 49 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
loop = asyncio.get_running_loop() return await loop.run_in_executor(None, lambda: fn(*args, **kwargs)) return _async_wrapped_fn
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
User input 'message' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:208
User input parameter 'message' is directly passed to LLM API call 'self.chat_store.add_message'. This is a high-confidence prompt injection vector.
# ensure everything is serialized self.chat_store.add_message(self.chat_store_key, message)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:216
User input parameter 'messages' is directly passed to LLM API call 'self.chat_store.set_messages'. This is a high-confidence prompt injection vector.
"""Set chat history.""" self.chat_store.set_messages(self.chat_store_key, messages)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:205
Function 'put' on line 205 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def put(self, message: ChatMessage) -> None: """Put chat history.""" # ensure everything is serialized self.chat_store.add_message(self.chat_store_key, message) async def aput(self, message: ChatMessage) -> None: """Put chat history.""" await self.chat_store.async_add_message(self.chat_store_key, message) def set(self, messages: List[ChatMessage]) -> None: """Set chat history."""
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:214
Function 'set' on line 214 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def set(self, messages: List[ChatMessage]) -> None: """Set chat history.""" self.chat_store.set_messages(self.chat_store_key, messages) def reset(self) -> None: """Reset chat history.""" self.chat_store.delete_messages(self.chat_store_key) def get_token_count(self) -> int: """Returns the token count of the memory buffer (excluding the last assistant response).""" return self._token_count
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'reset'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:218
Function 'reset' on line 218 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self.chat_store.set_messages(self.chat_store_key, messages) def reset(self) -> None: """Reset chat history.""" self.chat_store.delete_messages(self.chat_store_key)
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_summarize_oldest_chat_history'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:262
Function '_summarize_oldest_chat_history' on line 262 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return chat_history_full_text, chat_history_to_be_summarized def _summarize_oldest_chat_history( self, chat_history_to_be_summarized: List[ChatMessage] ) -> ChatMessage: """
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'message' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:130
User input parameter 'message' is directly passed to LLM API call 'self.chat_store.add_message'. This is a high-confidence prompt injection vector.
# ensure everything is serialized self.chat_store.add_message(self.chat_store_key, message)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:139
User input parameter 'messages' is directly passed to LLM API call 'self.chat_store.set_messages'. This is a high-confidence prompt injection vector.
"""Set chat history.""" self.chat_store.set_messages(self.chat_store_key, messages)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:117
Function 'get' on line 117 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get(self, input: Optional[str] = None, **kwargs: Any) -> List[ChatMessage]: """Get chat history.""" return self.chat_store.get_messages(self.chat_store_key, **kwargs) async def aget( self, input: Optional[str] = None, **kwargs: Any ) -> List[ChatMessage]: """Get chat history.""" return await self.chat_store.aget_messages(self.chat_store_key, **kwargs) def put(self, message: ChatMessage) -> None:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:127
Function 'put' on line 127 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def put(self, message: ChatMessage) -> None: """Put chat history.""" # ensure everything is serialized self.chat_store.add_message(self.chat_store_key, message) async def aput(self, message: ChatMessage) -> None: """Put chat history.""" # ensure everything is serialized await self.chat_store.async_add_message(self.chat_store_key, message) def set(self, messages: List[ChatMessage]) -> None:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:137
Function 'set' on line 137 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def set(self, messages: List[ChatMessage]) -> None: """Set chat history.""" self.chat_store.set_messages(self.chat_store_key, messages) async def aset(self, messages: List[ChatMessage]) -> None: """Set chat history.""" # ensure everything is serialized await self.chat_store.aset_messages(self.chat_store_key, messages) def reset(self) -> None: """Reset chat history."""
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'reset'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:146
Function 'reset' on line 146 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
await self.chat_store.aset_messages(self.chat_store_key, messages) def reset(self) -> None: """Reset chat history.""" self.chat_store.delete_messages(self.chat_store_key)
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/node_recency.py:108
Function '_postprocess_nodes' on line 108 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _postprocess_nodes( self, nodes: List[NodeWithScore], query_bundle: Optional[QueryBundle] = None, ) -> List[NodeWithScore]: """Postprocess nodes.""" try: import pandas as pd except ImportError: raise ImportError( "pandas is required for this function. Please install it with `pip install pandas`."
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/rankGPT_rerank.py:174
User input parameter 'messages' is directly passed to LLM API call 'self.llm.chat'. This is a high-confidence prompt injection vector.
def run_llm(self, messages: Sequence[ChatMessage]) -> ChatResponse: return self.llm.chat(messages)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/rankGPT_rerank.py:57
Function '_postprocess_nodes' on line 57 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _postprocess_nodes( self, nodes: List[NodeWithScore], query_bundle: Optional[QueryBundle] = None, ) -> List[NodeWithScore]: if query_bundle is None: raise ValueError("Query bundle must be provided.") items = { "query": query_bundle.query_str, "hits": [{"content": node.get_content()} for node in nodes],
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/rankGPT_rerank.py:173
Function 'run_llm' on line 173 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run_llm(self, messages: Sequence[ChatMessage]) -> ChatResponse: return self.llm.chat(messages) async def arun_llm(self, messages: Sequence[ChatMessage]) -> ChatResponse: return await self.llm.achat(messages) def _clean_response(self, response: str) -> str: new_response = "" for c in response: if not c.isdigit(): new_response += " "
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/optimizer.py:98
Function '_postprocess_nodes' on line 98 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _postprocess_nodes( self, nodes: List[NodeWithScore], query_bundle: Optional[QueryBundle] = None, ) -> List[NodeWithScore]: """Optimize a node text given the query by shortening the node text.""" if query_bundle is None: return nodes for node_idx in range(len(nodes)): text = nodes[node_idx].node.get_content(metadata_mode=MetadataMode.LLM)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/llm_rerank.py:71
Function '_postprocess_nodes' on line 71 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _postprocess_nodes( self, nodes: List[NodeWithScore], query_bundle: Optional[QueryBundle] = None, ) -> List[NodeWithScore]: if query_bundle is None: raise ValueError("Query bundle must be provided.") if len(nodes) == 0: return [] initial_results: List[NodeWithScore] = []
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/structured_llm_rerank.py:143
Function '_postprocess_nodes' on line 143 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _postprocess_nodes( self, nodes: List[NodeWithScore], query_bundle: Optional[QueryBundle] = None, ) -> List[NodeWithScore]: dispatcher.event( ReRankStartEvent( query=query_bundle, nodes=nodes, top_n=self.top_n, model_name=self.llm.metadata.model_name,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Use of pickle for serialization
LLM05: Supply Chain Vulnerabilities INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/objects/base_node_mapping.py:4
Import of 'pickle' on line 4. This library can execute arbitrary code during deserialization. (Advisory: safe if only used with trusted local data.)
import pickle
Remediation
Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange
Use of pickle for serialization
LLM05: Supply Chain Vulnerabilities INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/objects/base.py:3
Import of 'pickle' on line 3. This library can execute arbitrary code during deserialization. (Advisory: safe if only used with trusted local data.)
import pickle
Remediation
Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/program/function_program.py:153
LLM output variable 'messages' flows to 'self._llm.predict_and_call' on line 153 via direct flow. This creates a command_injection vulnerability.
agent_response = self._llm.predict_and_call( [tool], chat_history=messages,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Critical decision without oversight in '__call__'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/program/multi_modal_llm_program.py:102
Function '__call__' on line 102 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self._prompt = prompt def __call__( self, llm_kwargs: Optional[Dict[str, Any]] = None, image_documents: Optional[List[Union[ImageBlock, ImageNode]]] = None,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'format_messages'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/prompts/rich.py:81
Function 'format_messages' on line 81 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return Prompt(self.template_str).text(data=mapped_all_kwargs) def format_messages( self, llm: Optional[BaseLLM] = None, **kwargs: Any ) -> List[ChatMessage]: del llm # unused
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/simple_summarize.py:82
User input 'query_str' flows to LLM call via format_call in variable 'text_qa_template'. Function 'get_response' may be vulnerable to prompt injection attacks.
) -> RESPONSE_TEXT_TYPE: text_qa_template = self._text_qa_template.partial_format(query_str=query_str) single_text_chunk = "\n".join(text_chunks) truncated_chunks = self._prompt_helper.truncate( prompt=text_qa_template, text_chunks=[single_text_chunk], llm=self._llm, ) response: RESPONSE_TEXT_TYPE if not self._streaming: response = self._llm.predict( text_qa_template,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Critical decision without oversight in 'get_response'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/simple_summarize.py:76
Function 'get_response' on line 76 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return response def get_response( self, query_str: str, text_chunks: Sequence[str],
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/generation.py:77
Function 'get_response' on line 77 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get_response( self, query_str: str, text_chunks: Sequence[str], **response_kwargs: Any, ) -> RESPONSE_TEXT_TYPE: # NOTE: ignore text chunks and previous response del text_chunks if not self._streaming: return self._llm.predict(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:227
User input 'query_str' flows to LLM call via format_call in variable 'text_qa_template'. Function '_give_response_single' may be vulnerable to prompt injection attacks.
"""Give response given a query and a corresponding text chunk.""" text_qa_template = self._text_qa_template.partial_format(query_str=query_str) text_chunks = self._prompt_helper.repack( text_qa_template, [text_chunk], llm=self._llm ) response: Optional[RESPONSE_TEXT_TYPE] = None program = self._program_factory(text_qa_template) # TODO: consolidate with loop in get_response_default for cur_text_chunk in text_chunks: query_satisfied = False if response is None and not self._streaming: try: structured_response = cast( StructuredRefineResponse, program( context_str=cur_text_chunk, **response_kwargs, ), ) query_satisfied = structured_response.query_satisfied if query_satisfied: response = structured_response.answer except ValidationError as e: logger.warning( f"Validation error on structured response: {e}", exc_info=True ) elif response is None and self._streaming: response = self._llm.stream( text_qa_template,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:293
User input 'query_str' flows to LLM call via format_call in variable 'refine_template'. Function '_refine_response_single' may be vulnerable to prompt injection attacks.
# NOTE: partial format refine template with query_str and existing_answer here refine_template = self._refine_template.partial_format( query_str=query_str, existing_answer=response ) # compute available chunk size to see if there is any available space # determine if the refine template is too big (which can happen if # prompt template + query + existing answer is too large) avail_chunk_size = self._prompt_helper._get_available_chunk_size( refine_template ) if avail_chunk_size < 0: # if the available chunk size is negative, then the refine template # is too big and we just return the original response return response # obtain text chunks to add to the refine template text_chunks = self._prompt_helper.repack( refine_template, text_chunks=[text_chunk], llm=self._llm ) program = self._program_factory(refine_template) for cur_text_chunk in text_chunks: query_satisfied = False if not self._streaming: try: structured_response = cast( StructuredRefineResponse, program( context_msg=cur_text_chunk, **response_kwargs, ), ) query_satisfied = structured_response.query_satisfied if query_satisfied: response = structured_response.answer except ValidationError as e: logger.warning( f"Validation error on structured response: {e}", exc_info=True ) else: # TODO: structured response not supported for streaming if isinstance(response, Generator): response = "".join(response) refine_template = self._refine_template.partial_format( query_str=query_str, existing_answer=response ) response = self._llm.stream( refine_template,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:220
Function '_give_response_single' on line 220 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _give_response_single( self, query_str: str, text_chunk: str, **response_kwargs: Any, ) -> RESPONSE_TEXT_TYPE: """Give response given a query and a corresponding text chunk.""" text_qa_template = self._text_qa_template.partial_format(query_str=query_str) text_chunks = self._prompt_helper.repack( text_qa_template, [text_chunk], llm=self._llm )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_refine_response_single'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:275
Function '_refine_response_single' on line 275 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return response def _refine_response_single( self, response: RESPONSE_TEXT_TYPE, query_str: str,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/tree_summarize.py:141
User input 'query_str' flows to LLM call via format_call in variable 'summary_template'. Function 'get_response' may be vulnerable to prompt injection attacks.
"""Get tree summarize response.""" summary_template = self._summary_template.partial_format(query_str=query_str) # repack text_chunks so that each chunk fills the context window text_chunks = self._prompt_helper.repack( summary_template, text_chunks=text_chunks, llm=self._llm ) if self._verbose: print(f"{len(text_chunks)} text chunks after repacking") # give final response if there is only one chunk if len(text_chunks) == 1: response: RESPONSE_TEXT_TYPE if self._streaming: response = self._llm.stream( summary_template, context_str=text_chunks[0], **response_kwargs
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/tree_summarize.py:134
Function 'get_response' on line 134 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get_response( self, query_str: str, text_chunks: Sequence[str], **response_kwargs: Any, ) -> RESPONSE_TEXT_TYPE: """Get tree summarize response.""" summary_template = self._summary_template.partial_format(query_str=query_str) # repack text_chunks so that each chunk fills the context window text_chunks = self._prompt_helper.repack( summary_template, text_chunks=text_chunks, llm=self._llm
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'llama_dataset_id' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:90
User input parameter 'llama_dataset_id' is directly passed to LLM API call 'subprocess.run'. This is a high-confidence prompt injection vector.
try: subprocess.run( [
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:90
LLM output from 'subprocess.run' is used in 'subprocess.' on line 90 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: subprocess.run( [ "llamaindex-cli",
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Direct execution of LLM-generated code in '_download_llama_dataset_from_hub'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:84
Function '_download_llama_dataset_from_hub' on line 84 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
metric_dict[metric_key].append(mean_score) return pd.DataFrame(metric_dict) def _download_llama_dataset_from_hub(llama_dataset_id: str) -> "LabelledRagDataset": """Uses a subprocess and llamaindex-cli to download a dataset from llama-hub.""" from llama_index.core.llama_dataset import LabelledRagDataset with tempfile.TemporaryDirectory() as tmp: try:
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Direct execution of LLM output in '_download_llama_dataset_from_hub'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:84
Function '_download_llama_dataset_from_hub' on line 84 directly executes LLM-generated code using subprocess.run. This is extremely dangerous and allows arbitrary code execution.
def _download_llama_dataset_from_hub(llama_dataset_id: str) -> "LabelledRagDataset": """Uses a subprocess and llamaindex-cli to download a dataset from llama-hub.""" from llama_index.core.llama_dataset import LabelledRagDataset
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_context.py:158
Function 'synthesize' on line 158 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def synthesize( self, query_bundle: QueryBundle, nodes: List[NodeWithScore], additional_source_nodes: Optional[Sequence[NodeWithScore]] = None, streaming: bool = False, ) -> RESPONSE_TYPE: image_nodes, text_nodes = _get_image_and_text_nodes(nodes) context_str = "\n\n".join( [r.get_content(metadata_mode=MetadataMode.LLM) for r in text_nodes] )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'synthesize'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_context.py:158
Function 'synthesize' on line 158 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return self._apply_node_postprocessors(nodes, query_bundle=query_bundle) def synthesize( self, query_bundle: QueryBundle, nodes: List[NodeWithScore],
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'latest_message' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/condense_plus_context.py:183
User input 'latest_message' flows to LLM call via format_call in variable 'llm_input'. Function '_condense_question' may be vulnerable to prompt injection attacks.
llm_input = self._condense_prompt_template.format( chat_history=chat_history_str, question=latest_message ) return str(self._llm.complete(llm_input))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/condense_question.py:117
Function '_condense_question' on line 117 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _condense_question( self, chat_history: List[ChatMessage], last_message: str ) -> str: """ Generate standalone question from conversation context and last message. """ if not chat_history: # Keep the question as is if there's no conversation context. return last_message chat_history_str = messages_to_history_str(chat_history)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/types.py:402
Function 'chat_repl' on line 402 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat_repl(self) -> None: """Enter interactive chat REPL.""" print("===== Entering Chat REPL =====") print('Type "exit" to exit.\n') self.reset() message = input("Human: ") while message != "exit": response = self.chat(message) print(f"Assistant: {response}\n") message = input("Human: ")
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/simple.py:75
Function 'chat' on line 75 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@trace_method("chat") def chat( self, message: str, chat_history: Optional[List[ChatMessage]] = None ) -> AgentChatResponse: if chat_history is not None:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/simple.py:108
Function 'stream_chat' on line 108 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@trace_method("chat") def stream_chat( self, message: str, chat_history: Optional[List[ChatMessage]] = None ) -> StreamingAgentChatResponse: if chat_history is not None:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'latest_message' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_condense_plus_context.py:141
User input 'latest_message' flows to LLM call via format_call in variable 'llm_input'. Function '_condense_question' may be vulnerable to prompt injection attacks.
llm_input = self._condense_prompt_template.format( chat_history=chat_history_str, question=latest_message ) return str(self._multi_modal_llm.complete(llm_input))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_condense_plus_context.py:237
Function 'synthesize' on line 237 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def synthesize( self, query_str: str, nodes: List[NodeWithScore], additional_source_nodes: Optional[Sequence[NodeWithScore]] = None, streaming: bool = False, ) -> RESPONSE_TYPE: image_nodes, text_nodes = _get_image_and_text_nodes(nodes) context_str = "\n\n".join( [r.get_content(metadata_mode=MetadataMode.LLM) for r in text_nodes] )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'synthesize'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_condense_plus_context.py:237
Function 'synthesize' on line 237 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return context_source, context_nodes def synthesize( self, query_str: str, nodes: List[NodeWithScore],
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/question_gen/llm_generators.py:67
Function 'generate' on line 67 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def generate( self, tools: Sequence[ToolMetadata], query: QueryBundle ) -> List[SubQuestion]: tools_str = build_tools_text(tools) query_str = query.query_str prediction = self._llm.predict( prompt=self._prompt, tools_str=tools_str, query_str=query_str, )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/custom.py:34
Function 'chat' on line 34 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: assert self.messages_to_prompt is not None prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:53
Function 'chat' on line 53 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """Chat endpoint for LLM.""" # TODO: # NOTE: we are wrapping existing messages in a ChatPromptTemplate to # make this work with our FunctionCallingProgram, even though # the messages don't technically have any variables (they are already formatted) chat_prompt = ChatPromptTemplate(message_templates=messages) output = self.llm.structured_predict(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:74
Function 'stream_chat' on line 74 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: chat_prompt = ChatPromptTemplate(message_templates=messages) stream_output = self.llm.stream_structured_predict( output_cls=self.output_cls, prompt=chat_prompt, llm_kwargs=kwargs ) for partial_output in stream_output: yield ChatResponse( message=ChatMessage(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:53
Function 'chat' on line 53 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """Chat endpoint for LLM.""" # TODO:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:74
Function 'stream_chat' on line 74 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: chat_prompt = ChatPromptTemplate(message_templates=messages)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/function_calling.py:236
LLM output variable 'response' flows to 'self.get_tool_calls_from_response' on line 236 via direct flow. This creates a command_injection vulnerability.
) tool_calls = self.get_tool_calls_from_response( response, error_on_no_tool_call=error_on_no_tool_call )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/function_calling.py:35
Function 'chat_with_tools' on line 35 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat_with_tools( self, tools: Sequence["BaseTool"], user_msg: Optional[Union[str, ChatMessage]] = None, chat_history: Optional[List[ChatMessage]] = None, verbose: bool = False, allow_parallel_tool_calls: bool = False, tool_required: bool = False, # if required, LLM should only call tools, and not return a response **kwargs: Any, ) -> ChatResponse: """Chat with function calling."""
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/mock.py:148
Function 'chat' on line 148 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: r = super().chat(copy.deepcopy(messages), **kwargs) self.last_chat_messages = messages self.last_called_chat_function.append("chat") return r @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: r = super().stream_chat(copy.deepcopy(messages), **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:151
User input parameter 'query_bundle' is directly passed to LLM API call 'self.generate_query'. This is a high-confidence prompt injection vector.
"""Get nodes for response.""" graph_store_query = self.generate_query(query_bundle.query_str) if self._verbose:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:156
LLM output variable 'graph_store_query' flows to 'self.callback_manager.event' on line 156 via direct flow. This creates a command_injection vulnerability.
with self.callback_manager.event( CBEventType.RETRIEVE, payload={EventPayload.QUERY_STR: graph_store_query},
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:125
Function 'generate_query' on line 125 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def generate_query(self, query_str: str) -> str: """Generate a Graph Store Query from a query bundle.""" # Get the query engine query string graph_store_query: str = self._llm.predict( self._graph_query_synthesis_prompt, query_str=query_str, schema=self._graph_schema, ) return graph_store_query
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:149
Function '_retrieve' on line 149 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: """Get nodes for response.""" graph_store_query = self.generate_query(query_bundle.query_str) if self._verbose: print_text(f"Graph Store Query:\n{graph_store_query}\n", color="yellow") logger.debug(f"Graph Store Query:\n{graph_store_query}") with self.callback_manager.event( CBEventType.RETRIEVE, payload={EventPayload.QUERY_STR: graph_store_query}, ) as retrieve_event:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/sql_join_query_engine.py:147
Function '_run' on line 147 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _run(self, query_bundle: QueryBundle, metadata: Dict) -> QueryBundle: """Run query transform.""" query_str = query_bundle.query_str sql_query = metadata["sql_query"] sql_query_response = metadata["sql_query_response"] new_query_str = self._llm.predict( self._sql_augment_transform_prompt, query_str=query_str, sql_query_str=sql_query, sql_response_str=sql_query_response, )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/sql_join_query_engine.py:250
Function '_query_sql_other' on line 250 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query_sql_other(self, query_bundle: QueryBundle) -> RESPONSE_TYPE: """Query SQL database + other query engine in sequence.""" # first query SQL database sql_response = self._sql_query_tool.query_engine.query(query_bundle) if not self._use_sql_join_synthesis: return sql_response sql_query = ( sql_response.metadata["sql_query"] if sql_response.metadata else None ) if self._verbose:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/multi_modal.py:111
Function 'synthesize' on line 111 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def synthesize( self, query_bundle: QueryBundle, nodes: List[NodeWithScore], additional_source_nodes: Optional[Sequence[NodeWithScore]] = None, ) -> RESPONSE_TYPE: image_nodes, text_nodes = _get_image_and_text_nodes(nodes) context_str = "\n\n".join( [r.get_content(metadata_mode=MetadataMode.LLM) for r in text_nodes] ) fmt_prompt = self._text_qa_template.format(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'synthesize'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/multi_modal.py:111
Function 'synthesize' on line 111 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return self._apply_node_postprocessors(nodes, query_bundle=query_bundle) def synthesize( self, query_bundle: QueryBundle, nodes: List[NodeWithScore],
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/retry_query_engine.py:140
User input parameter 'query_bundle' is directly passed to LLM API call 'self.query_transformer.run'. This is a high-confidence prompt injection vector.
) new_query = self.query_transformer.run(query_bundle, {"evaluation": eval}) logger.debug("New query: %s", new_query.query_str)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/retry_query_engine.py:70
LLM output from 'query_transformer.run' is used in 'run(' on line 70 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
query_transformer = FeedbackQueryTransformation() new_query = query_transformer.run(query_bundle, {"evaluation": eval}) return new_query_engine.query(new_query)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/retry_query_engine.py:140
LLM output from 'self.query_transformer.run' is used in 'run(' on line 140 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
) new_query = self.query_transformer.run(query_bundle, {"evaluation": eval}) logger.debug("New query: %s", new_query.query_str) return new_query_engine.query(new_query)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/sub_question_query_engine.py:151
LLM output variable 'tasks' flows to 'run_async_tasks' on line 151 via direct flow. This creates a command_injection vulnerability.
qa_pairs_all = run_async_tasks(tasks) qa_pairs_all = cast(List[Optional[SubQuestionAnswerPair]], qa_pairs_all) else:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:47
User input parameter 'query_bundle' is directly passed to LLM API call 'self._query_transform.run'. This is a high-confidence prompt injection vector.
def retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:58
User input parameter 'query_bundle' is directly passed to LLM API call 'self._query_transform.run'. This is a high-confidence prompt injection vector.
) -> RESPONSE_TYPE: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:84
User input parameter 'query_bundle' is directly passed to LLM API call 'self._query_transform.run'. This is a high-confidence prompt injection vector.
"""Answer a query.""" query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:47
LLM output variable 'query_bundle' flows to 'self._query_transform.run' on line 47 via direct flow. This creates a command_injection vulnerability.
def retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:58
LLM output variable 'query_bundle' flows to 'self._query_transform.run' on line 58 via direct flow. This creates a command_injection vulnerability.
) -> RESPONSE_TYPE: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:84
LLM output variable 'query_bundle' flows to 'self._query_transform.run' on line 84 via direct flow. This creates a command_injection vulnerability.
"""Answer a query.""" query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:46
Function 'retrieve' on line 46 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata ) return self._query_engine.retrieve(query_bundle) def synthesize( self, query_bundle: QueryBundle, nodes: List[NodeWithScore], additional_source_nodes: Optional[Sequence[NodeWithScore]] = None,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:52
Function 'synthesize' on line 52 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def synthesize( self, query_bundle: QueryBundle, nodes: List[NodeWithScore], additional_source_nodes: Optional[Sequence[NodeWithScore]] = None, ) -> RESPONSE_TYPE: query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata ) return self._query_engine.synthesize( query_bundle=query_bundle,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:82
Function '_query' on line 82 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query(self, query_bundle: QueryBundle) -> RESPONSE_TYPE: """Answer a query.""" query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata ) return self._query_engine.query(query_bundle) async def _aquery(self, query_bundle: QueryBundle) -> RESPONSE_TYPE: """Answer a query.""" query_bundle = self._query_transform.run( query_bundle, metadata=self._transform_metadata
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/base/base_auto_retriever.py:35
User input parameter 'query_bundle' is directly passed to LLM API call 'self.generate_retrieval_spec'. This is a high-confidence prompt injection vector.
"""Retrieve using generated spec.""" retrieval_spec = self.generate_retrieval_spec(query_bundle) retriever, new_query_bundle = self._build_retriever_from_spec(retrieval_spec)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/base/base_auto_retriever.py:33
Function '_retrieve' on line 33 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: """Retrieve using generated spec.""" retrieval_spec = self.generate_retrieval_spec(query_bundle) retriever, new_query_bundle = self._build_retriever_from_spec(retrieval_spec) return retriever.retrieve(new_query_bundle) async def _aretrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: """Retrieve using generated spec asynchronously.""" retrieval_spec = await self.agenerate_retrieval_spec(query_bundle) retriever, new_query_bundle = self._build_retriever_from_spec(retrieval_spec) return await retriever.aretrieve(new_query_bundle)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/selectors/llm_selectors.py:215
LLM output variable 'parsed' flows to '_structured_output_to_selector_result' on line 215 via direct flow. This creates a sql_injection vulnerability.
parsed = self._prompt.output_parser.parse(prediction) return _structured_output_to_selector_result(parsed) async def _aselect(
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llama_dataset/legacy/embedding.py:72
Function 'generate_qa_embedding_pairs' on line 72 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def generate_qa_embedding_pairs( nodes: List[TextNode], llm: Optional[LLM] = None, qa_generate_prompt_tmpl: str = DEFAULT_QA_GENERATE_PROMPT_TMPL, num_questions_per_chunk: int = 2, ) -> EmbeddingQAFinetuneDataset: """Generate examples given a set of nodes.""" llm = llm or Settings.llm node_dict = { node.node_id: node.get_content(metadata_mode=MetadataMode.NONE) for node in nodes
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/flare/answer_inserter.py:165
Function 'insert' on line 165 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def insert( self, response: str, query_tasks: List[QueryTask], answers: List[str], prev_response: Optional[str] = None, ) -> str: """Insert answers into response.""" prev_response = prev_response or "" query_answer_pairs = ""
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/flare/base.py:188
Function '_query' on line 188 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query(self, query_bundle: QueryBundle) -> RESPONSE_TYPE: """Query and get response.""" print_text(f"Query: {query_bundle.query_str}\n", color="green") cur_response = "" source_nodes = [] for iter in range(self._max_iterations): if self._verbose: print_text(f"Current response: {cur_response}\n", color="blue") # generate "lookahead response" that contains "[Search(query)]" tags # e.g. # The colors on the flag of Ghana have the following meanings. Red is
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/flare/base.py:188
Function '_query' on line 188 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return relevant_lookahead_resp def _query(self, query_bundle: QueryBundle) -> RESPONSE_TYPE: """Query and get response.""" print_text(f"Query: {query_bundle.query_str}\n", color="green") cur_response = ""
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/faithfulness.py:133
Function 'evaluate' on line 133 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def evaluate( self, query: Union[str, None] = None, response: Union[str, None] = None, contexts: Union[Sequence[str], None] = None, image_paths: Union[List[str], None] = None, image_urls: Union[List[str], None] = None, **kwargs: Any, ) -> EvaluationResult: """Evaluate whether the response is faithful to the multi-modal contexts.""" del query # Unused
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'evaluate'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/faithfulness.py:133
Function 'evaluate' on line 133 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self._refine_template = prompts["refine_template"] def evaluate( self, query: Union[str, None] = None, response: Union[str, None] = None,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/relevancy.py:112
Function 'evaluate' on line 112 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def evaluate( self, query: Union[str, None] = None, response: Union[str, None] = None, contexts: Union[Sequence[str], None] = None, image_paths: Union[List[str], None] = None, image_urls: Union[List[str], None] = None, **kwargs: Any, ) -> EvaluationResult: """Evaluate whether the multi-modal contexts and response are relevant to the query.""" del kwargs # Unused
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'evaluate'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/relevancy.py:112
Function 'evaluate' on line 112 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self._refine_template = prompts["refine_template"] def evaluate( self, query: Union[str, None] = None, response: Union[str, None] = None,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/multi_agent_workflow.py:758
LLM output from 'super().run' is used in 'run(' on line 758 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if ctx is not None and ctx.is_running: return super().run( ctx=ctx, **kwargs,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/multi_agent_workflow.py:771
LLM output from 'super().run' is used in 'run(' on line 771 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
) return super().run( start_event=start_event, ctx=ctx,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/multi_agent_workflow.py:745
Function 'run' on line 745 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run( self, user_msg: Optional[Union[str, ChatMessage]] = None, chat_history: Optional[List[ChatMessage]] = None, memory: Optional[BaseMemory] = None, ctx: Optional[Context] = None, max_iterations: Optional[int] = None, early_stopping_method: Optional[Literal["force", "generate"]] = None, start_event: Optional[AgentWorkflowStartEvent] = None, **kwargs: Any, ) -> WorkflowHandler:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/base_agent.py:725
LLM output from 'super().run' is used in 'run(' on line 725 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if ctx is not None and ctx.is_running: return super().run( ctx=ctx, **kwargs,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/base_agent.py:738
LLM output from 'super().run' is used in 'run(' on line 738 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
) return super().run( start_event=start_event, ctx=ctx,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/base_agent.py:712
Function 'run' on line 712 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run( self, user_msg: Optional[Union[str, ChatMessage]] = None, chat_history: Optional[List[ChatMessage]] = None, memory: Optional[BaseMemory] = None, ctx: Optional[Context] = None, max_iterations: Optional[int] = None, early_stopping_method: Optional[Literal["force", "generate"]] = None, start_event: Optional[AgentWorkflowStartEvent] = None, **kwargs: Any, ) -> WorkflowHandler:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/node_parser/text/semantic_splitter.py:160
Function 'build_semantic_nodes_from_documents' on line 160 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def build_semantic_nodes_from_documents( self, documents: Sequence[Document], show_progress: bool = False, ) -> List[BaseNode]: """Build window nodes from documents.""" all_nodes: List[BaseNode] = [] for doc in documents: text = doc.text text_splits = self.sentence_splitter(text)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/node_parser/text/semantic_splitter.py:263
Function '_calculate_distances_between_sentence_groups' on line 263 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _calculate_distances_between_sentence_groups( self, sentences: List[SentenceCombination] ) -> List[float]: distances = [] for i in range(len(sentences) - 1): embedding_current = sentences[i]["combined_sentence_embedding"] embedding_next = sentences[i + 1]["combined_sentence_embedding"] similarity = self.embed_model.similarity(embedding_current, embedding_next) distance = 1 - similarity
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_retriever.py:223
LLM output variable 'response' flows to 'extract_numbers_given_response' on line 223 via direct flow. This creates a sql_injection vulnerability.
numbers = extract_numbers_given_response(response, n=self.child_branch_factor) if numbers is None: debug_str = (
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_retriever.py:339
LLM output variable 'response' flows to 'extract_numbers_given_response' on line 339 via direct flow. This creates a sql_injection vulnerability.
numbers = extract_numbers_given_response(response, n=self.child_branch_factor) if numbers is None: debug_str = (
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
Critical decision without oversight in '_query_with_selected_node'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_retriever.py:110
Function '_query_with_selected_node' on line 110 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def _query_with_selected_node( self, selected_node: BaseNode, query_bundle: QueryBundle,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_embedding_retriever.py:106
Function '_get_query_text_embedding_similarities' on line 106 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_text_embedding_similarities( self, query_bundle: QueryBundle, nodes: List[BaseNode] ) -> List[float]: """ Get query text embedding similarity. Cache the query embedding and the node text embedding. """ if query_bundle.embedding is None: query_bundle.embedding = self._embed_model.get_agg_embedding_from_queries(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:87
LLM output variable 'node1' flows to 'self.index_graph.insert' on line 87 via direct flow. This creates a sql_injection vulnerability.
node1 = TextNode(text=summary1) self.index_graph.insert(node1, children_nodes=half1) truncated_chunks = self._prompt_helper.truncate(
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:99
LLM output variable 'node2' flows to 'self.index_graph.insert' on line 99 via direct flow. This creates a sql_injection vulnerability.
node2 = TextNode(text=summary2) self.index_graph.insert(node2, children_nodes=half2) # insert half1 and half2 as new children of parent_node
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:146
LLM output variable 'response' flows to 'extract_numbers_given_response' on line 146 via direct flow. This creates a sql_injection vulnerability.
) numbers = extract_numbers_given_response(response) if numbers is None or len(numbers) == 0: # NOTE: if we can't extract a number, then we just insert under parent
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:116
Function '_insert_node' on line 116 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _insert_node( self, node: BaseNode, parent_node: Optional[BaseNode] = None ) -> None: """Insert node.""" cur_graph_node_ids = self.index_graph.get_children(parent_node) cur_graph_nodes = self._docstore.get_node_dict(cur_graph_node_ids) cur_graph_node_list = get_sorted_node_list(cur_graph_nodes) # if cur_graph_nodes is empty (start with empty graph), then insert under # parent (insert new root node) if len(cur_graph_nodes) == 0: self._insert_under_parent_and_consolidate(node, parent_node)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_insert_under_parent_and_consolidate'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:49
Function '_insert_under_parent_and_consolidate' on line 49 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self._docstore = docstore or get_default_docstore() def _insert_under_parent_and_consolidate( self, text_node: BaseNode, parent_node: Optional[BaseNode] ) -> None: """
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'sql_query_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:253
User input parameter 'sql_query_str' is directly passed to LLM API call 'self._sql_database.run_sql'. This is a high-confidence prompt injection vector.
else: raw_response_str, metadata = self._sql_database.run_sql(sql_query_str)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:109
Function '_run_with_sql_only_check' on line 109 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _run_with_sql_only_check( self, sql_query_str: str ) -> Tuple[str, Dict[str, Any]]: """Don't run sql if sql_only is true, else continue with normal path.""" if self._sql_only: metadata: Dict[str, Any] = {} raw_response_str = sql_query_str else: raw_response_str, metadata = self._sql_database.run_sql(sql_query_str) return raw_response_str, metadata
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:247
Function '_run_with_sql_only_check' on line 247 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _run_with_sql_only_check(self, sql_query_str: str) -> Tuple[str, Dict]: """Don't run sql if sql_only is true, else continue with normal path.""" if self._sql_only: metadata: Dict[str, Any] = {} raw_response_str = sql_query_str else: raw_response_str, metadata = self._sql_database.run_sql(sql_query_str) return raw_response_str, metadata def _query(self, query_bundle: QueryBundle) -> Response:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:257
Function '_query' on line 257 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query(self, query_bundle: QueryBundle) -> Response: """Answer a query.""" table_desc_str = self._get_table_context(query_bundle) logger.info(f"> Table desc str: {table_desc_str}") response_str = self._llm.predict( self._text_to_sql_prompt, query_str=query_bundle.query_str, schema=table_desc_str, dialect=self._sql_database.dialect, )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/json_query.py:158
Function '_query' on line 158 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query(self, query_bundle: QueryBundle) -> Response: """Answer a query.""" schema = self._get_schema_context() json_path_response_str = self._llm.predict( self._json_path_prompt, schema=schema, query_str=query_bundle.query_str, ) if self._verbose:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/json_query.py:158
Function '_query' on line 158 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return json.dumps(self._json_schema) def _query(self, query_bundle: QueryBundle) -> Response: """Answer a query.""" schema = self._get_schema_context()
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'parse_response_to_sql'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_retriever.py:160
Function 'parse_response_to_sql' on line 160 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self._embed_model = embed_model def parse_response_to_sql(self, response: str, query_bundle: QueryBundle) -> str: """Parse response to SQL.""" sql_query_start = response.find("SQLQuery:") if sql_query_start != -1:
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'handle_llm_prompt_template' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:574
User input parameter 'handle_llm_prompt_template' is directly passed to LLM API call 'self._llm.predict'. This is a high-confidence prompt injection vector.
if handle_llm_prompt_template is not None: response = self._llm.predict( handle_llm_prompt_template,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:164
LLM output variable 'response' flows to 'extract_keywords_given_response' on line 164 via direct flow. This creates a sql_injection vulnerability.
) keywords = extract_keywords_given_response( response, start_token="KEYWORDS:", lowercase=False )
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:579
LLM output variable 'response' flows to 'extract_keywords_given_response' on line 579 via direct flow. This creates a sql_injection vulnerability.
) enitities_llm = extract_keywords_given_response( response, start_token=result_start_token, lowercase=False )
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:157
Function '_get_keywords' on line 157 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_keywords(self, query_str: str) -> List[str]: """Extract keywords.""" response = self._llm.predict( self.query_keyword_extract_template, max_keywords=self.max_keywords_per_query, question=query_str, ) keywords = extract_keywords_given_response( response, start_token="KEYWORDS:", lowercase=False ) return list(keywords)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:190
Function '_retrieve' on line 190 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve( self, query_bundle: QueryBundle, ) -> List[NodeWithScore]: """Get nodes for response.""" node_visited = set() keywords = self._get_keywords(query_bundle.query_str) if self._verbose: print_text(f"Extracted keywords: {keywords}\n", color="green") rel_texts = [] cur_rel_map = {}
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:541
Function '_process_entities' on line 541 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _process_entities( self, query_str: str, handle_fn: Optional[Callable], handle_llm_prompt_template: Optional[BasePromptTemplate], cross_handle_policy: Optional[str] = "union", max_items: Optional[int] = 5, result_start_token: str = "KEYWORDS:", ) -> List[str]: """Get entities from query string.""" assert cross_handle_policy in [
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_retrieve'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:190
Function '_retrieve' on line 190 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return keywords def _retrieve( self, query_bundle: QueryBundle, ) -> List[NodeWithScore]:
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'text' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:160
User input parameter 'text' is directly passed to LLM API call 'self._llm.predict'. This is a high-confidence prompt injection vector.
"""Extract keywords from text.""" response = self._llm.predict( self.kg_triplet_extract_template,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:204
Function '_build_index_from_nodes' on line 204 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _build_index_from_nodes( self, nodes: Sequence[BaseNode], **build_kwargs: Any ) -> KG: """Build the index from nodes.""" # do simple concatenation index_struct = self.index_struct_cls() nodes_with_progress = get_tqdm_iterable( nodes, self._show_progress, "Processing nodes" ) for n in nodes_with_progress: triplets = self._extract_triplets(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:234
Function '_insert' on line 234 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _insert(self, nodes: Sequence[BaseNode], **insert_kwargs: Any) -> None: """Insert a document.""" for n in nodes: triplets = self._extract_triplets( n.get_content(metadata_mode=MetadataMode.LLM) ) logger.debug(f"Extracted triplets: {triplets}") for triplet in triplets: subj, _, obj = triplet triplet_str = str(triplet) self.upsert_triplet(triplet)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_insert'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:234
Function '_insert' on line 234 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return index_struct def _insert(self, nodes: Sequence[BaseNode], **insert_kwargs: Any) -> None: """Insert a document.""" for n in nodes: triplets = self._extract_triplets(
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/keyword_table/retrievers.py:156
Function '_get_keywords' on line 156 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_keywords(self, query_str: str) -> List[str]: """Extract keywords.""" response = self._llm.predict( self.query_keyword_extract_template, max_keywords=self.max_keywords_per_query, question=query_str, ) keywords = extract_keywords_given_response(response, start_token="KEYWORDS:") return list(keywords)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'text' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/keyword_table/base.py:239
User input parameter 'text' is directly passed to LLM API call 'self._llm.predict'. This is a high-confidence prompt injection vector.
"""Extract keywords from text.""" response = self._llm.predict( self.keyword_extract_template,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/keyword_table/base.py:243
LLM output variable 'response' flows to 'extract_keywords_given_response' on line 243 via direct flow. This creates a sql_injection vulnerability.
) return extract_keywords_given_response(response, start_token="KEYWORDS:") async def _async_extract_keywords(self, text: str) -> Set[str]:
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:202
LLM output variable 'nodes' flows to 'asyncio.run' on line 202 via direct flow. This creates a command_injection vulnerability.
if self._use_async: nodes = asyncio.run( arun_transformations( nodes, self._kg_extractors, show_progress=self._show_progress
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:208
LLM output variable 'nodes' flows to 'run_transformations' on line 208 via direct flow. This creates a command_injection vulnerability.
else: nodes = run_transformations( nodes, self._kg_extractors, show_progress=self._show_progress )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:203
LLM output variable 'nodes' flows to 'arun_transformations' on line 203 via direct flow. This creates a command_injection vulnerability.
nodes = asyncio.run( arun_transformations( nodes, self._kg_extractors, show_progress=self._show_progress )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:259
LLM output variable 'node_texts' flows to 'asyncio.run' on line 259 via direct flow. This creates a command_injection vulnerability.
if self._use_async: embeddings = asyncio.run( self._embed_model.aget_text_embedding_batch( node_texts, show_progress=self._show_progress
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:195
Function '_insert_nodes' on line 195 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _insert_nodes(self, nodes: Sequence[BaseNode]) -> Sequence[BaseNode]: """Insert nodes to the index struct.""" if len(nodes) == 0: return nodes # run transformations on nodes to extract triplets if self._use_async: nodes = asyncio.run( arun_transformations( nodes, self._kg_extractors, show_progress=self._show_progress )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_insert_nodes'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:195
Function '_insert_nodes' on line 195 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return None def _insert_nodes(self, nodes: Sequence[BaseNode]) -> Sequence[BaseNode]: """Insert nodes to the index struct.""" if len(nodes) == 0: return nodes
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'build_index_from_nodes'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/common_tree/base.py:140
Function 'build_index_from_nodes' on line 140 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return new_node_dict def build_index_from_nodes( self, index_graph: IndexGraph, cur_node_ids: Dict[int, str],
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/list/retrievers.py:124
Function '_get_embeddings' on line 124 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_embeddings( self, query_bundle: QueryBundle, nodes: List[BaseNode] ) -> Tuple[List[float], List[List[float]]]: """Get top nodes by similarity to the query.""" if query_bundle.embedding is None: query_bundle.embedding = self._embed_model.get_agg_embedding_from_queries( query_bundle.embedding_strs ) node_embeddings: List[List[float]] = [] nodes_embedded = 0
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/list/retrievers.py:191
Function '_retrieve' on line 191 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: """Retrieve nodes.""" node_ids = self._index.index_struct.nodes results = [] for idx in range(0, len(node_ids), self._choice_batch_size): node_ids_batch = node_ids[idx : idx + self._choice_batch_size] nodes_batch = self._index.docstore.get_nodes(node_ids_batch) query_str = query_bundle.query_str fmt_batch_str = self._format_node_batch_fn(nodes_batch) # call each batch independently
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/document_summary/retrievers.py:81
Function '_retrieve' on line 81 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve( self, query_bundle: QueryBundle, ) -> List[NodeWithScore]: """Retrieve nodes.""" summary_ids = self._index.index_struct.summary_ids all_summary_ids: List[str] = [] all_relevances: List[float] = [] for idx in range(0, len(summary_ids), self._choice_batch_size): summary_ids_batch = summary_ids[idx : idx + self._choice_batch_size]
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/document_summary/retrievers.py:157
Function '_retrieve' on line 157 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve( self, query_bundle: QueryBundle, ) -> List[NodeWithScore]: """Retrieve nodes.""" if self._vector_store.is_embedding_query: if query_bundle.embedding is None: query_bundle.embedding = ( self._embed_model.get_agg_embedding_from_queries( query_bundle.embedding_strs )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/feedback_transform.py:103
Function '_resynthesize_query' on line 103 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _resynthesize_query( self, query_str: str, response: str, feedback: Optional[str] ) -> str: """Resynthesize query given feedback.""" if feedback is None: return query_str else: new_query_str = self.llm.predict( self.resynthesis_prompt, query_str=query_str, response=response,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query_bundle_or_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:73
User input parameter 'query_bundle_or_str' is directly passed to LLM API call 'self.run'. This is a high-confidence prompt injection vector.
"""Run query processor.""" return self.run(query_bundle_or_str, metadata=metadata)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:73
LLM output from 'self.run' is used in 'run(' on line 73 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Run query processor.""" return self.run(query_bundle_or_str, metadata=metadata)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:143
LLM output from 'self._llm.predict' is used in 'run(' on line 143 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
query_str = query_bundle.query_str hypothetical_doc = self._llm.predict(self._hyde_prompt, context_str=query_str) embedding_strs = [hypothetical_doc] if self._include_original:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:67
Function '__call__' on line 67 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def __call__( self, query_bundle_or_str: QueryType, metadata: Optional[Dict] = None, ) -> QueryBundle: """Run query processor.""" return self.run(query_bundle_or_str, metadata=metadata) class IdentityQueryTransform(BaseQueryTransform): """
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:139
Function '_run' on line 139 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _run(self, query_bundle: QueryBundle, metadata: Dict) -> QueryBundle: """Run query transform.""" # TODO: support generating multiple hypothetical docs query_str = query_bundle.query_str hypothetical_doc = self._llm.predict(self._hyde_prompt, context_str=query_str) embedding_strs = [hypothetical_doc] if self._include_original: embedding_strs.extend(query_bundle.embedding_strs) return QueryBundle( query_str=query_str, custom_embedding_strs=embedding_strs,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:189
Function '_run' on line 189 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _run(self, query_bundle: QueryBundle, metadata: Dict) -> QueryBundle: """Run query transform.""" # currently, just get text from the index structure index_summary = cast(str, metadata.get("index_summary", "None")) # given the text from the index, we can use the query bundle to generate # a new query bundle query_str = query_bundle.query_str new_query_str = self._llm.predict( self._decompose_query_prompt, query_str=query_str,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:297
Function '_run' on line 297 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _run(self, query_bundle: QueryBundle, metadata: Dict) -> QueryBundle: """Run query transform.""" index_summary = cast( str, metadata.get("index_summary", "None"), ) prev_reasoning = cast(Response, metadata.get("prev_reasoning")) fmt_prev_reasoning = f"\n{prev_reasoning}" if prev_reasoning else "None" # given the text from the index, we can use the query bundle to generate # a new query bundle
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/common/struct_store/base.py:213
LLM output variable 'new_cur_fields' flows to 'fields.update' on line 213 via direct flow. This creates a sql_injection vulnerability.
new_cur_fields = self._clean_and_validate_fields(cur_fields) fields.update(new_cur_fields) struct_datapoint = StructDatapoint(fields) if struct_datapoint is not None:
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/common/struct_store/base.py:192
Function 'insert_datapoint_from_nodes' on line 192 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def insert_datapoint_from_nodes(self, nodes: Sequence[BaseNode]) -> None: """Extract datapoint from a document and insert it.""" text_chunks = [ node.get_content(metadata_mode=MetadataMode.LLM) for node in nodes ] fields = {} for i, text_chunk in enumerate(text_chunks): fmt_text_chunk = truncate_text(text_chunk, 50) logger.info(f"> Adding chunk {i}: {fmt_text_chunk}") # if embedding specified in document, pass it to the Node schema_text = self._get_schema_text()
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/vector_store/retrievers/auto_retriever/auto_retriever.py:158
Function 'generate_retrieval_spec' on line 158 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def generate_retrieval_spec( self, query_bundle: QueryBundle, **kwargs: Any ) -> BaseModel: # prepare input info_str = self._vector_store_info.model_dump_json(indent=4) schema_str = VectorStoreQuerySpec.model_json_schema() # call LLM output = self._llm.predict( self._prompt, schema_str=schema_str,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/transformations/dynamic_llm.py:296
LLM output from 'asyncio.run' is used in 'call(' on line 296 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" return asyncio.run(self.acall(nodes, show_progress=show_progress, **kwargs)) async def _apredict_without_props(self, text: str) -> str:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/transformations/simple_llm.py:78
LLM output from 'asyncio.run' is used in 'call(' on line 78 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Extract triples from nodes.""" return asyncio.run(self.acall(nodes, show_progress=show_progress, **kwargs)) async def _aextract(self, node: BaseNode) -> BaseNode:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/transformations/schema_llm.py:246
LLM output from 'asyncio.run' is used in 'call(' on line 246 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Extract triplets from nodes.""" return asyncio.run(self.acall(nodes, show_progress=show_progress, **kwargs)) def _prune_invalid_props(
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/sub_retrievers/vector.py:85
Function '_get_vector_store_query' on line 85 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_vector_store_query(self, query_bundle: QueryBundle) -> VectorStoreQuery: if query_bundle.embedding is None: query_bundle.embedding = self._embed_model.get_agg_embedding_from_queries( query_bundle.embedding_strs ) return VectorStoreQuery( query_embedding=query_bundle.embedding, similarity_top_k=self._similarity_top_k, filters=self._filters, **self._retriever_kwargs,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/sub_retrievers/text_to_cypher.py:137
Function 'retrieve_from_graph' on line 137 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def retrieve_from_graph(self, query_bundle: QueryBundle) -> List[NodeWithScore]: schema = self._graph_store.get_schema_str() question = query_bundle.query_str response = self.llm.predict( self.text_to_cypher_template, schema=schema, question=question, ) parsed_cypher_query = self._parse_generated_cypher(response)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/sub_retrievers/cypher_template.py:52
Function 'retrieve_from_graph' on line 52 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def retrieve_from_graph(self, query_bundle: QueryBundle) -> List[NodeWithScore]: question = query_bundle.query_str response = self.llm.structured_predict( self.output_cls, PromptTemplate(question) ) cypher_response = self._graph_store.structured_query( self.cypher_query, param_map=response.model_dump(), )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/protocols/llama-index-protocols-ag-ui/llama_index/protocols/ag_ui/agent.py:89
Function '_snapshot_messages' on line 89 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _snapshot_messages(self, ctx: Context, chat_history: List[ChatMessage]) -> None: # inject tool calls into the assistant message for msg in chat_history: if msg.role == "assistant": tool_calls = self.llm.get_tool_calls_from_response( ChatResponse(message=msg), error_on_no_tool_call=False ) if tool_calls: msg.additional_kwargs["ag_ui_tool_calls"] = [ { "id": tool_call.tool_id,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_snapshot_messages'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/protocols/llama-index-protocols-ag-ui/llama_index/protocols/ag_ui/agent.py:89
Function '_snapshot_messages' on line 89 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self.system_prompt = system_prompt def _snapshot_messages(self, ctx: Context, chat_history: List[ChatMessage]) -> None: # inject tool calls into the assistant message for msg in chat_history: if msg.role == "assistant":
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '__init__'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/extractors/llama-index-extractors-entity/llama_index/extractors/entity/base.py:66
Function '__init__' on line 66 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
_model: Any = PrivateAttr() def __init__( self, model_name: str = DEFAULT_ENTITY_MODEL, prediction_threshold: float = 0.5,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai/llama_index/llms/openai/responses.py:279
Function '__init__' on line 279 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def __init__( self, model: str = DEFAULT_OPENAI_MODEL, temperature: float = DEFAULT_TEMPERATURE, max_output_tokens: Optional[int] = None, reasoning_options: Optional[Dict[str, Any]] = None, include: Optional[List[str]] = None, instructions: Optional[str] = None, track_previous_responses: bool = False, store: bool = False, built_in_tools: Optional[List[dict]] = None,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai/llama_index/llms/openai/base.py:486
Function '_chat' on line 486 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: client = self._get_client() message_dicts = to_openai_message_dicts( messages, model=self.model, ) if self.reuse_client: response = client.chat.completions.create( messages=message_dicts, stream=False,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:183
Function 'chat' on line 183 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: all_kwargs = self._get_all_kwargs(**{**self.additional_kwargs, **kwargs}) chat_messages, all_kwargs = prepare_messages_before_chat( messages=messages, **all_kwargs ) response = self._client.chat.completions.create( project_id=self.project_id, messages=chat_messages, **all_kwargs ) if not response.choices:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:214
Function 'stream_chat' on line 214 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: all_kwargs = self._get_all_kwargs(**{**self.additional_kwargs, **kwargs}) chat_messages, all_kwargs = prepare_messages_before_chat( messages=messages, **all_kwargs ) response_generator = self._client.chat.completions.create( project_id=self.project_id,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:183
Function 'chat' on line 183 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: all_kwargs = self._get_all_kwargs(**{**self.additional_kwargs, **kwargs}) chat_messages, all_kwargs = prepare_messages_before_chat(
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:214
Function 'stream_chat' on line 214 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: all_kwargs = self._get_all_kwargs(**{**self.additional_kwargs, **kwargs})
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-siliconflow/llama_index/llms/siliconflow/base.py:550
User input parameter 'prompt' is directly passed to LLM API call 'chat_to_completion_decorator(self.chat)'. This is a high-confidence prompt injection vector.
) -> CompletionResponse: return chat_to_completion_decorator(self.chat)(prompt, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:225
Function 'chat' on line 225 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: oci_params = self._provider.messages_to_oci_params(messages) oci_params["is_stream"] = False tools = kwargs.pop("tools", None) all_kwargs = self._get_all_kwargs(**kwargs) chat_params = {**all_kwargs, **oci_params} if tools: chat_params["tools"] = [ self._provider.convert_to_oci_tool(tool) for tool in tools ]
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:263
Function 'stream_chat' on line 263 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: oci_params = self._provider.messages_to_oci_params(messages) oci_params["is_stream"] = True tools = kwargs.pop("tools", None) all_kwargs = self._get_all_kwargs(**kwargs) chat_params = {**all_kwargs, **oci_params} if tools: chat_params["tools"] = [ self._provider.convert_to_oci_tool(tool) for tool in tools
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:284
Function 'gen' on line 284 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def gen() -> ChatResponseGen: content = "" tool_calls_accumulated = [] for event in response.data.events(): content_delta = self._provider.chat_stream_to_text( json.loads(event.data) ) content += content_delta try:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:225
Function 'chat' on line 225 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: oci_params = self._provider.messages_to_oci_params(messages) oci_params["is_stream"] = False tools = kwargs.pop("tools", None)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:263
Function 'stream_chat' on line 263 makes critical security, data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: oci_params = self._provider.messages_to_oci_params(messages)
Remediation
Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:284
Function 'gen' on line 284 makes critical security, data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
response = self._client.chat(request) def gen() -> ChatResponseGen: content = "" tool_calls_accumulated = []
Remediation
Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-langchain/llama_index/llms/langchain/base.py:86
Function 'chat' on line 86 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: from llama_index.llms.langchain.utils import ( from_lc_messages, to_lc_messages, ) if not self.metadata.is_chat_model: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-langchain/llama_index/llms/langchain/base.py:125
Function 'gen' on line 125 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
if hasattr(self._llm, "stream"): def gen() -> Generator[ChatResponse, None, None]: from llama_index.llms.langchain.utils import ( from_lc_messages, to_lc_messages,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:657
User input parameter 'prompt' is directly passed to LLM API call 'chat_to_completion_decorator(self.chat)'. This is a high-confidence prompt injection vector.
) -> CompletionResponse: return chat_to_completion_decorator(self.chat)(prompt, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:388
Function 'chat' on line 388 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: ollama_messages = self._convert_to_ollama_messages(messages) tools = kwargs.pop("tools", None) think = kwargs.pop("think", None) or self.thinking format = kwargs.pop("format", "json" if self.json_mode else None) response = self.client.chat( model=self.model, messages=ollama_messages, stream=False,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:436
Function 'stream_chat' on line 436 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: ollama_messages = self._convert_to_ollama_messages(messages) tools = kwargs.pop("tools", None) think = kwargs.pop("think", None) or self.thinking format = kwargs.pop("format", "json" if self.json_mode else None) def gen() -> ChatResponseGen: response = self.client.chat(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:388
Function 'chat' on line 388 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: ollama_messages = self._convert_to_ollama_messages(messages) tools = kwargs.pop("tools", None)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:436
Function 'stream_chat' on line 436 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: ollama_messages = self._convert_to_ollama_messages(messages)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:445
Function 'gen' on line 445 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
format = kwargs.pop("format", "json" if self.json_mode else None) def gen() -> ChatResponseGen: response = self.client.chat( model=self.model, messages=ollama_messages,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ipex-llm/llama_index/llms/ipex_llm/base.py:473
Function 'chat' on line 473 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response = self.stream_complete(prompt, formatted=True, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ipex-llm/llama_index/llms/ipex_llm/base.py:487
Function 'complete' on line 487 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: """ Complete by LLM. Args: prompt: Prompt for completion. formatted: Whether the prompt is formatted by wrapper. kwargs: Other kwargs for complete.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ipex-llm/llama_index/llms/ipex_llm/base.py:487
Function 'complete' on line 487 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: """
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mlx/llama_index/llms/mlx/base.py:284
Function 'chat' on line 284 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response = self.stream_complete(prompt, formatted=True, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:261
LLM output variable 'request' flows to 'self._runner.send_chat_completion_request' on line 261 via direct flow. This creates a command_injection vulnerability.
response = self._runner.send_chat_completion_request(request) return CompletionResponse( text=response.choices[0].message.content,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:264
LLM output variable 'response' flows to 'extract_logprobs' on line 264 via direct flow. This creates a sql_injection vulnerability.
text=response.choices[0].message.content, logprobs=extract_logprobs(response), )
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:290
LLM output variable 'request' flows to 'self._runner.send_chat_completion_request' on line 290 via direct flow. This creates a command_injection vulnerability.
streamer = self._runner.send_chat_completion_request(request) def gen() -> CompletionResponseGen:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:241
Function 'chat' on line 241 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: try: from mistralrs import ChatCompletionRequest except ImportError as e: raise ValueError( "Missing `mistralrs` package. Install via `pip install mistralrs`." ) from e if self._has_messages_to_prompt: messages = self.messages_to_prompt(messages) else: messages = llama_index_to_mistralrs_messages(messages)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:268
Function 'stream_chat' on line 268 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: try: from mistralrs import ChatCompletionRequest except ImportError as e: raise ValueError( "Missing `mistralrs` package. Install via `pip install mistralrs`." ) from e if self._has_messages_to_prompt: messages = self.messages_to_prompt(messages)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:241
Function 'chat' on line 241 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: try: from mistralrs import ChatCompletionRequest except ImportError as e:
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:268
Function 'stream_chat' on line 268 makes critical security, data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: try:
Remediation
Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:309
Function 'complete' on line 309 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: try:
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:335
Function 'stream_complete' on line 335 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def stream_complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponseGen: try:
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:456
User input parameter 'prompt' is directly passed to LLM API call 'self.client.generate'. This is a high-confidence prompt injection vector.
logger.debug(f"Calling complete with prompt: {prompt}") response = self.client.generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:496
User input parameter 'prompt' is directly passed to LLM API call 'self.client.generate'. This is a high-confidence prompt injection vector.
text = "" for response in self.client.generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:532
User input parameter 'messages' is directly passed to LLM API call 'self.client.chat'. This is a high-confidence prompt injection vector.
logger.debug(f"Calling chat with messages: {messages}") response = self.client.chat( messages=_to_message_dicts(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:576
User input parameter 'messages' is directly passed to LLM API call 'self.client.chat'. This is a high-confidence prompt injection vector.
tool_calls = [] for response in self.client.chat( messages=_to_message_dicts(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:519
Function 'chat' on line 519 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """ Generate a chat completion based on the input messages. Args: messages (Sequence[ChatMessage]): A sequence of chat messages. **kwargs: Additional keyword arguments. Returns: ChatResponse: The chat response from the LLM.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:519
Function 'chat' on line 519 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """ Generate a chat completion based on the input messages.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-vertex/llama_index/llms/vertex/utils.py:109
User input parameter 'prompt' is directly passed to LLM API call 'client.predict_streaming'. This is a high-confidence prompt injection vector.
if stream: return client.predict_streaming(prompt, **kwargs) else:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-vertex/llama_index/llms/vertex/utils.py:111
User input parameter 'prompt' is directly passed to LLM API call 'client.predict'. This is a high-confidence prompt injection vector.
else: return client.predict(prompt, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:364
User input parameter 'messages' is directly passed to LLM API call 'self._client.chat.complete'. This is a high-confidence prompt injection vector.
all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.chat.complete(messages=messages, **all_kwargs) blocks: List[TextBlock | ThinkingBlock | ToolCallBlock] = []
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:430
User input parameter 'messages' is directly passed to LLM API call 'self._client.chat.stream'. This is a high-confidence prompt injection vector.
response = self._client.chat.stream(messages=messages, **all_kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:746
User input parameter 'prompt' is directly passed to LLM API call 'self._client.fim.complete'. This is a high-confidence prompt injection vector.
if stop: response = self._client.fim.complete( model=self.model, prompt=prompt, suffix=suffix, stop=stop
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:750
User input parameter 'prompt' is directly passed to LLM API call 'self._client.fim.complete'. This is a high-confidence prompt injection vector.
else: response = self._client.fim.complete( model=self.model, prompt=prompt, suffix=suffix
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:359
Function 'chat' on line 359 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: # convert messages to mistral ChatMessage messages = to_mistral_chatmessage(messages) all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.chat.complete(messages=messages, **all_kwargs) blocks: List[TextBlock | ThinkingBlock | ToolCallBlock] = [] if self.model in MISTRAL_AI_REASONING_MODELS: thinking_txt, response_txt = self._separate_thinking( response.choices[0].message.content or []
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:422
Function 'stream_chat' on line 422 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: # convert messages to mistral ChatMessage messages = to_mistral_chatmessage(messages) all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.chat.stream(messages=messages, **all_kwargs) def gen() -> ChatResponseGen:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:359
Function 'chat' on line 359 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: # convert messages to mistral ChatMessage messages = to_mistral_chatmessage(messages)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:422
Function 'stream_chat' on line 422 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: # convert messages to mistral ChatMessage
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:379
User input parameter 'prompt' is directly passed to LLM API call 'self._model.generate'. This is a high-confidence prompt injection vector.
del generation_kwargs["use_completions"] response = self._model.generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:415
User input parameter 'prompt' is directly passed to LLM API call 'self._model.generate_text_stream'. This is a high-confidence prompt injection vector.
stream_response = self._model.generate_text_stream( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:410
Function 'stream_complete' on line 410 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponseGen: params, generation_kwargs = self._split_generation_params(kwargs) stream_response = self._model.generate_text_stream( prompt=prompt, params=self._text_generation_params or params, **generation_kwargs, )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:450
Function '_chat' on line 450 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: message_dicts = [to_watsonx_message_dict(message) for message in messages] params, generation_kwargs = self._split_chat_generation_params(kwargs) response = self._model.chat( messages=message_dicts, params=params, tools=generation_kwargs.get("tools"), tool_choice=generation_kwargs.get("tool_choice"), tool_choice_option=generation_kwargs.get("tool_choice_option"), )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:514
Function '_stream_chat' on line 514 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: message_dicts = [to_watsonx_message_dict(message) for message in messages] params, generation_kwargs = self._split_chat_generation_params(kwargs) stream_response = self._model.chat_stream( messages=message_dicts, params=params, tools=generation_kwargs.get("tools"), tool_choice=generation_kwargs.get("tool_choice"),
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:421
Function 'gen' on line 421 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def gen() -> CompletionResponseGen: content = "" if kwargs.get("raw_response"): for stream_delta in stream_response: stream_delta_text = self._model._return_guardrails_stats( stream_delta ).get("generated_text", "") content += stream_delta_text yield CompletionResponse( text=content, delta=stream_delta_text, raw=stream_delta )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:514
Function '_stream_chat' on line 514 makes critical security, data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return await achat_fn(messages, **kwargs) def _stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: message_dicts = [to_watsonx_message_dict(message) for message in messages]
Remediation
Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:249
User input parameter 'prompt' is directly passed to LLM API call 'self._generator.chat'. This is a high-confidence prompt injection vector.
assert self._generator is not None response_text = self._generator.chat( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:268
User input parameter 'prompt' is directly passed to LLM API call 'self._generator.chat'. This is a high-confidence prompt injection vector.
assert self._generator is not None response_iter = self._generator.chat( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:191
Function 'chat' on line 191 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: assert self._generator is not None prompt = messages[-1].content if len(messages) > 0 else "" history = [xinference_message_to_history(message) for message in messages[:-1]]
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:213
Function 'stream_chat' on line 213 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: assert self._generator is not None
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:287
User input parameter 'messages' is directly passed to LLM API call 'self._sync_client.chat_completion'. This is a high-confidence prompt injection vector.
output: ChatCompletionOutput = self._sync_client.chat_completion( messages=self._to_huggingface_messages(messages),
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:340
User input parameter 'messages' is directly passed to LLM API call 'self._sync_client.chat_completion'. This is a high-confidence prompt injection vector.
cur_index = -1 for chunk in self._sync_client.chat_completion( messages=self._to_huggingface_messages(messages),
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:283
Function 'chat' on line 283 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: if self.task == "conversational" or self.task is None: model_kwargs = self._get_model_kwargs(**kwargs) output: ChatCompletionOutput = self._sync_client.chat_completion( messages=self._to_huggingface_messages(messages), **model_kwargs, ) content = output.choices[0].message.content or "" tool_calls = output.choices[0].message.tool_calls or []
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:330
Function 'stream_chat' on line 330 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: if self.task == "conversational" or self.task is None: model_kwargs = self._get_model_kwargs(**kwargs) def gen() -> ChatResponseGen: response = "" tool_call_strs = [] cur_index = -1 for chunk in self._sync_client.chat_completion(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:283
Function 'chat' on line 283 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: if self.task == "conversational" or self.task is None: model_kwargs = self._get_model_kwargs(**kwargs)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:310
Function 'complete' on line 310 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return completion_response_to_chat_response(completion) def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: if self.task == "conversational":
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:330
Function 'stream_chat' on line 330 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: if self.task == "conversational" or self.task is None:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:336
Function 'gen' on line 336 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
model_kwargs = self._get_model_kwargs(**kwargs) def gen() -> ChatResponseGen: response = "" tool_call_strs = [] cur_index = -1
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Insecure tool function 'perform_request' executes dangerous operations
LLM07: Insecure Plugin Design HIGH
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-deepinfra/llama_index/llms/deepinfra/client.py:46
Tool function 'perform_request' on line 46 takes LLM output as a parameter and performs dangerous operations (http_request) without proper validation. Attackers can craft malicious LLM outputs to execute arbitrary commands, access files, or perform SQL injection.
Dict[str, Any]: The API response. """ def perform_request(): response = requests.post( self.get_url(endpoint), json={ **payload, "stream": False,
Remediation
Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations
Insecure tool function 'perform_request' executes dangerous operations
LLM07: Insecure Plugin Design HIGH
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-deepinfra/llama_index/llms/deepinfra/client.py:76
Tool function 'perform_request' on line 76 takes LLM output as a parameter and performs dangerous operations (http_request) without proper validation. Attackers can craft malicious LLM outputs to execute arbitrary commands, access files, or perform SQL injection.
str: The streaming response from the API. """ def perform_request(): response = requests.post( self.get_url(endpoint), json={ **payload, "stream": True,
Remediation
Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openvino/llama_index/llms/openvino/base.py:92
Function '__init__' on line 92 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def __init__( self, context_window: int = DEFAULT_CONTEXT_WINDOW, max_new_tokens: int = DEFAULT_NUM_OUTPUTS, query_wrapper_prompt: Union[str, PromptTemplate] = "{query_str}", model_id_or_path: str = DEFAULT_HUGGINGFACE_MODEL, model: Optional[Any] = None, tokenizer: Optional[Any] = None, device_map: Optional[str] = "auto", stopping_ids: Optional[List[int]] = None, tokenizer_kwargs: Optional[dict] = None,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '__init__'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openvino/llama_index/llms/openvino/base.py:92
Function '__init__' on line 92 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def __init__( self, context_window: int = DEFAULT_CONTEXT_WINDOW, max_new_tokens: int = DEFAULT_NUM_OUTPUTS,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:230
User input parameter 'prompt' is directly passed to LLM API call 'base_llm_deployment.with_adapter(model=adapter_model).generate'. This is a high-confidence prompt injection vector.
adapter_model = self._client.LLM(uri=f"hf://{self.adapter_id}") result = base_llm_deployment.with_adapter(model=adapter_model).generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:235
User input parameter 'prompt' is directly passed to LLM API call 'base_llm_deployment.generate'. This is a high-confidence prompt injection vector.
else: result = base_llm_deployment.generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:287
User input parameter 'prompt' is directly passed to LLM API call 'lorax_client.generate'. This is a high-confidence prompt injection vector.
try: response = lorax_client.generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:261
User input parameter 'prompt' is directly passed to LLM API call 'lorax_client.generate'. This is a high-confidence prompt injection vector.
try: response = lorax_client.generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:273
User input parameter 'prompt' is directly passed to LLM API call 'lorax_client.generate'. This is a high-confidence prompt injection vector.
try: response = lorax_client.generate( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-contextual/llama_index/llms/contextual/base.py:181
User input parameter 'messages' is directly passed to LLM API call 'self.client.generate.create'. This is a high-confidence prompt injection vector.
""" raw_message = self.client.generate.create( messages=messages,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:269
Function 'chat' on line 269 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response_gen = self.stream_complete(prompt, formatted=True, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:208
Function 'complete' on line 208 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: model_kwargs = {**self.model_kwargs, **kwargs}
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:237
Function 'stream_complete' on line 237 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def stream_complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponseGen: model_kwargs = {**self.model_kwargs, **kwargs}
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:246
Function 'gen' on line 246 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
request_body = self.content_handler.serialize_input(prompt, model_kwargs) def gen() -> CompletionResponseGen: raw_text = "" prev_clean_text = "" for response in self._client.invoke_endpoint_with_response_stream(
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:379
User input parameter 'prompt' is directly passed to LLM API call 'chat_to_completion_decorator(self.chat)'. This is a high-confidence prompt injection vector.
) -> CompletionResponse: return chat_to_completion_decorator(self.chat)(prompt, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:243
Function 'chat' on line 243 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: messages_dict = self._convert_to_llm_messages(messages) raw_response = self._client.chat.completions.create( model=self.model, messages=messages_dict, stream=False, tools=kwargs.get("tools"), tool_choice=kwargs.get("tool_choice"), stop=kwargs.get("stop"), timeout=self.timeout, extra_body=self.model_kwargs,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:301
Function 'stream_chat' on line 301 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: messages_dict = self._convert_to_llm_messages(messages) def gen() -> ChatResponseGen: raw_response = self._client.chat.completions.create( model=self.model, messages=messages_dict, stream=True, tools=kwargs.get("tools"),
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:243
Function 'chat' on line 243 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: messages_dict = self._convert_to_llm_messages(messages) raw_response = self._client.chat.completions.create( model=self.model,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:301
Function 'stream_chat' on line 301 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: messages_dict = self._convert_to_llm_messages(messages)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:306
Function 'gen' on line 306 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
messages_dict = self._convert_to_llm_messages(messages) def gen() -> ChatResponseGen: raw_response = self._client.chat.completions.create( model=self.model, messages=messages_dict,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai-like/llama_index/llms/openai_like/base.py:155
User input parameter 'prompt' is directly passed to LLM API call 'super().complete'. This is a high-confidence prompt injection vector.
return super().complete(prompt, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai-like/llama_index/llms/openai_like/base.py:173
User input parameter 'messages' is directly passed to LLM API call 'super().chat'. This is a high-confidence prompt injection vector.
return super().chat(messages, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai-like/llama_index/llms/openai_like/base.py:166
Function 'chat' on line 166 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """Chat with the model.""" if not self.metadata.is_chat_model: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) return super().chat(messages, **kwargs) def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-replicate/llama_index/llms/replicate/base.py:111
Function 'chat' on line 111 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response = self.stream_complete(prompt, formatted=True, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-yi/llama_index/llms/yi/base.py:125
User input parameter 'prompt' is directly passed to LLM API call 'super().complete'. This is a high-confidence prompt injection vector.
return super().complete(prompt, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-yi/llama_index/llms/yi/base.py:143
User input parameter 'messages' is directly passed to LLM API call 'super().chat'. This is a high-confidence prompt injection vector.
return super().chat(messages, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-yi/llama_index/llms/yi/base.py:136
Function 'chat' on line 136 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """Chat with the model.""" if not self.metadata.is_chat_model: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) return super().chat(messages, **kwargs) def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-modelscope/llama_index/llms/modelscope/base.py:171
User input parameter 'prompt' is directly passed to LLM API call 'self.complete'. This is a high-confidence prompt injection vector.
def stream_complete(self, prompt: str, **kwargs: Any) -> CompletionResponseGen: yield self.complete(prompt, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-modelscope/llama_index/llms/modelscope/base.py:183
User input parameter 'messages' is directly passed to LLM API call 'self.chat'. This is a high-confidence prompt injection vector.
) -> ChatResponseGen: yield self.chat(messages, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-modelscope/llama_index/llms/modelscope/base.py:180
Function 'stream_chat' on line 180 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: yield self.chat(messages, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:356
User input parameter 'messages' is directly passed to LLM API call 'self._client.complete'. This is a high-confidence prompt injection vector.
all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.complete(messages=messages, **all_kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:389
User input parameter 'messages' is directly passed to LLM API call 'self._client.complete'. This is a high-confidence prompt injection vector.
response = self._client.complete(messages=messages, stream=True, **all_kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:504
LLM output variable 'response' flows to 'force_single_tool_call' on line 504 via direct flow. This creates a command_injection vulnerability.
if not allow_parallel_tool_calls: force_single_tool_call(response) return response
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:353
Function 'chat' on line 353 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: messages = to_inference_message(messages) all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.complete(messages=messages, **all_kwargs) response_message = from_inference_message(response.choices[0].message) return ChatResponse( message=response_message, raw=response.as_dict(), )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:474
Function 'chat_with_tools' on line 474 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat_with_tools( self, tools: List["BaseTool"], user_msg: Optional[Union[str, ChatMessage]] = None, chat_history: Optional[List[ChatMessage]] = None, verbose: bool = False, allow_parallel_tool_calls: bool = False, tool_required: bool = False, **kwargs: Any, ) -> ChatResponse: """Predict and call the tool."""
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:383
Function 'stream_chat' on line 383 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: messages = to_inference_message(messages)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openvino-genai/llama_index/llms/openvino_genai/base.py:395
Function 'chat' on line 395 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response = self.stream_complete(prompt, formatted=True, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:155
Function 'chat' on line 155 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """ Send a chat request to the Reka API. Args: messages (Sequence[ChatMessage]): A sequence of chat messages. **kwargs: Additional keyword arguments for the API call. Returns: ChatResponse: The response from the Reka API.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:155
Function 'chat' on line 155 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """ Send a chat request to the Reka API.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:195
Function 'complete' on line 195 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete(self, prompt: str, **kwargs: Any) -> CompletionResponse: """ Send a completion request to the Reka API.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:228
Function 'stream_chat' on line 228 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: """
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:282
Function 'stream_complete' on line 282 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def stream_complete(self, prompt: str, **kwargs: Any) -> CompletionResponseGen: """ Send a streaming completion request to the Reka API.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-llama-cpp/llama_index/llms/llama_cpp/base.py:258
Function 'chat' on line 258 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response = self.stream_complete(prompt, formatted=True, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-llama-cpp/llama_index/llms/llama_cpp/base.py:272
Function 'complete' on line 272 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: self.generate_kwargs.update({"stream": False})
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-llama-cpp/llama_index/llms/llama_cpp/base.py:285
Function 'stream_complete' on line 285 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def stream_complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponseGen: self.generate_kwargs.update({"stream": True})
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:312
User input parameter 'messages' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
params = {**kwargs, "generation_config": generation_config} next_msg, chat_kwargs, file_api_names = asyncio.run( prepare_chat_params(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:365
User input parameter 'messages' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
params = {**kwargs, "generation_config": generation_config} next_msg, chat_kwargs, file_api_names = asyncio.run( prepare_chat_params(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:312
LLM output from 'asyncio.run' is used in 'run(' on line 312 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
params = {**kwargs, "generation_config": generation_config} next_msg, chat_kwargs, file_api_names = asyncio.run( prepare_chat_params( self.model, messages, self.file_mode, self._client, **params
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:365
LLM output from 'asyncio.run' is used in 'run(' on line 365 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
params = {**kwargs, "generation_config": generation_config} next_msg, chat_kwargs, file_api_names = asyncio.run( prepare_chat_params( self.model, messages, self.file_mode, self._client, **params
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:570
LLM output from 'asyncio.run' is used in 'run(' on line 570 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
contents_and_names = [ asyncio.run(chat_message_to_gemini(message, self.file_mode, self._client)) for message in messages ]
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:621
LLM output from 'asyncio.run' is used in 'run(' on line 621 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
contents_and_names = [ asyncio.run( chat_message_to_gemini(message, self.file_mode, self._client) )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:723
LLM output from 'asyncio.run' is used in 'run(' on line 723 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
contents_and_names = [ asyncio.run( chat_message_to_gemini(message, self.file_mode, self._client) )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:306
Function '_chat' on line 306 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _chat(self, messages: Sequence[ChatMessage], **kwargs: Any): generation_config = { **(self._generation_config or {}), **kwargs.pop("generation_config", {}), } params = {**kwargs, "generation_config": generation_config} next_msg, chat_kwargs, file_api_names = asyncio.run( prepare_chat_params( self.model, messages, self.file_mode, self._client, **params ) )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:357
Function '_stream_chat' on line 357 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: generation_config = { **(self._generation_config or {}), **kwargs.pop("generation_config", {}), } params = {**kwargs, "generation_config": generation_config} next_msg, chat_kwargs, file_api_names = asyncio.run( prepare_chat_params( self.model, messages, self.file_mode, self._client, **params
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:558
Function 'structured_predict_without_function_calling' on line 558 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def structured_predict_without_function_calling( self, output_cls: Type[Model], prompt: PromptTemplate, llm_kwargs: Optional[Dict[str, Any]] = None, **prompt_args: Any, ) -> Model: """Structured predict.""" llm_kwargs = llm_kwargs or {} messages = prompt.format_messages(**prompt_args)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:599
Function 'structured_predict' on line 599 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def structured_predict( self, output_cls: Type[Model], prompt: PromptTemplate, llm_kwargs: Optional[Dict[str, Any]] = None, **prompt_args: Any, ) -> Model: """Structured predict.""" llm_kwargs = llm_kwargs or {} if self.pydantic_program_mode == PydanticProgramMode.DEFAULT:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:701
Function 'stream_structured_predict' on line 701 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_structured_predict( self, output_cls: Type[Model], prompt: PromptTemplate, llm_kwargs: Optional[Dict[str, Any]] = None, **prompt_args: Any, ) -> Generator[Union[Model, FlexibleModel], None, None]: """Stream structured predict.""" llm_kwargs = llm_kwargs or {} if self.pydantic_program_mode == PydanticProgramMode.DEFAULT:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:306
Function '_chat' on line 306 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_retry_decorator def _chat(self, messages: Sequence[ChatMessage], **kwargs: Any): generation_config = { **(self._generation_config or {}), **kwargs.pop("generation_config", {}),
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:357
Function '_stream_chat' on line 357 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return await self._achat(messages, **kwargs) def _stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: generation_config = {
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'structured_predict_without_function_calling'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:558
Function 'structured_predict_without_function_calling' on line 558 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@dispatcher.span def structured_predict_without_function_calling( self, output_cls: Type[Model], prompt: PromptTemplate,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_structured_predict'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:701
Function 'stream_structured_predict' on line 701 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@dispatcher.span def stream_structured_predict( self, output_cls: Type[Model], prompt: PromptTemplate,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:731
Function 'gen' on line 731 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
file_api_names = [name for it in contents_and_names for name in it[1]] def gen() -> Generator[Union[Model, FlexibleModel], None, None]: flexible_model = create_flexible_model(output_cls) response_gen = self._client.models.generate_content_stream( model=self.model,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to code_execution sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:256
LLM output variable 'model' flows to 'get_torch_compiled_model' on line 256 via direct flow. This creates a code_execution vulnerability.
if args.torch_compile and model.config.model_type == "llama": model = get_torch_compiled_model(model) # if args.assistant_model is not None: # assistant_model = get_torch_compiled_model(assistant_model)
Remediation
Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required
LLM output flows to code_execution sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:341
LLM output variable 'model' flows to 'get_torch_compiled_model' on line 341 via direct flow. This creates a code_execution vulnerability.
if args.torch_compile and model.config.model_type == "llama": model = get_torch_compiled_model(model) # if args.assistant_model is not None: # assistant_model = get_torch_compiled_model(assistant_model)
Remediation
Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required
Direct execution of LLM-generated code in 'setup_distributed_model'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:262
Function 'setup_distributed_model' on line 262 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
# assistant_model = get_torch_compiled_model(assistant_model) return model, assistant_model def setup_distributed_model(args, model_dtype, model_kwargs, logger): import deepspeed logger.info("DeepSpeed is enabled.") deepspeed.init_distributed(dist_backend="hccl") config = AutoConfig.from_pretrained(
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Direct execution of LLM output in 'setup_model'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:192
Function 'setup_model' on line 192 directly executes LLM-generated code using eval(. This is extremely dangerous and allows arbitrary code execution.
def setup_model(args, model_dtype, model_kwargs, logger): logger.info("Single-device run.") if args.assistant_model is None: assistant_model = None
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
Direct execution of LLM output in 'setup_distributed_model'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:262
Function 'setup_distributed_model' on line 262 directly executes LLM-generated code using eval(. This is extremely dangerous and allows arbitrary code execution.
def setup_distributed_model(args, model_dtype, model_kwargs, logger): import deepspeed logger.info("DeepSpeed is enabled.")
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-clarifai/llama_index/llms/clarifai/base.py:151
Function 'chat' on line 151 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat( self, messages: Sequence[ChatMessage], inference_params: Optional[Dict] = {}, **kwargs: Any, ) -> ChatResponse: """Chat endpoint for LLM.""" prompt = "".join([str(m) for m in messages]) try: response = ( self._model.predict_by_bytes(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:106
Function 'chat' on line 106 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.chat.completions.create( stream=False, **get_chat_request(messages), **all_kwargs, ) return ChatResponse( message=ChatMessage( role=MessageRole.ASSISTANT, content=response.choices[0].message.content
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:140
Function 'stream_chat' on line 140 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: all_kwargs = self._get_all_kwargs(**kwargs) stream = self._client.chat.completions.create( stream=True, **get_chat_request(messages), **all_kwargs, )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:106
Function 'chat' on line 106 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.chat.completions.create(
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:140
Function 'stream_chat' on line 140 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: all_kwargs = self._get_all_kwargs(**kwargs)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:220
User input parameter 'prompt' is directly passed to LLM API call 'self._model.generate_content'. This is a high-confidence prompt injection vector.
request_options = self._request_options or kwargs.pop("request_options", None) result = self._model.generate_content( prompt, request_options=request_options, **kwargs
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:243
User input parameter 'prompt' is directly passed to LLM API call 'self._model.generate_content'. This is a high-confidence prompt injection vector.
text = "" it = self._model.generate_content( prompt, stream=True, request_options=request_options, **kwargs
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:261
User input parameter 'prompt' is directly passed to LLM API call 'self._model.generate_content_async'. This is a high-confidence prompt injection vector.
text = "" it = await self._model.generate_content_async( prompt, stream=True, request_options=request_options, **kwargs
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:272
Function 'chat' on line 272 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: request_options = self._request_options or kwargs.pop("request_options", None) merged_messages = merge_neighboring_same_role_messages(messages) *history, next_msg = map(chat_message_to_gemini, merged_messages) chat = self._model.start_chat(history=history) response = chat.send_message( next_msg, request_options=request_options, **kwargs, ) return chat_from_gemini_response(response)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:298
Function 'stream_chat' on line 298 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: request_options = self._request_options or kwargs.pop("request_options", None) merged_messages = merge_neighboring_same_role_messages(messages) *history, next_msg = map(chat_message_to_gemini, merged_messages) chat = self._model.start_chat(history=history) response = chat.send_message( next_msg, stream=True, request_options=request_options, **kwargs )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:272
Function 'chat' on line 272 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: request_options = self._request_options or kwargs.pop("request_options", None) merged_messages = merge_neighboring_same_role_messages(messages) *history, next_msg = map(chat_message_to_gemini, merged_messages)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:298
Function 'stream_chat' on line 298 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: request_options = self._request_options or kwargs.pop("request_options", None)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:432
LLM output variable 'response' flows to 'self._get_blocks_and_tool_calls_and_thinking' on line 432 via direct flow. This creates a command_injection vulnerability.
blocks, citations = self._get_blocks_and_tool_calls_and_thinking(response) return AnthropicChatResponse(
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:417
Function 'chat' on line 417 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> AnthropicChatResponse: anthropic_messages, system_prompt = messages_to_anthropic_messages( messages, self.cache_idx, self.model ) all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.messages.create( messages=anthropic_messages, stream=False,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:452
Function 'stream_chat' on line 452 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> Generator[AnthropicChatResponse, None, None]: anthropic_messages, system_prompt = messages_to_anthropic_messages( messages, self.cache_idx, self.model ) all_kwargs = self._get_all_kwargs(**kwargs) response = self._client.messages.create( messages=anthropic_messages, system=system_prompt, stream=True, **all_kwargs )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '__init__'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:198
Function '__init__' on line 198 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
] = PrivateAttr() def __init__( self, model: str = DEFAULT_ANTHROPIC_MODEL, temperature: float = DEFAULT_TEMPERATURE,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:417
Function 'chat' on line 417 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> AnthropicChatResponse: anthropic_messages, system_prompt = messages_to_anthropic_messages(
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:444
Function 'complete' on line 444 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> AnthropicCompletionResponse: chat_message = ChatMessage(role=MessageRole.USER, content=prompt)
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:452
Function 'stream_chat' on line 452 makes critical security, data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> Generator[AnthropicChatResponse, None, None]: anthropic_messages, system_prompt = messages_to_anthropic_messages(
Remediation
Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-nvidia-tensorrt/llama_index/llms/nvidia_tensorrt/base.py:247
LLM output variable 'runtime_mapping' flows to 'tensorrt_llm.runtime.GenerationSession' on line 247 via direct flow. This creates a command_injection vulnerability.
engine_buffer = f.read() decoder = tensorrt_llm.runtime.GenerationSession( model_config, engine_buffer, runtime_mapping, debug_mode=False )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-nvidia-tensorrt/llama_index/llms/nvidia_tensorrt/base.py:291
Function 'chat' on line 291 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: try: import torch
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-nvidia-tensorrt/llama_index/llms/nvidia_tensorrt/base.py:297
Function 'complete' on line 297 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: try:
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface/llama_index/llms/huggingface/base.py:318
Function 'complete' on line 318 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: """Completion endpoint.""" full_prompt = prompt if not formatted: if self.query_wrapper_prompt: full_prompt = self.query_wrapper_prompt.format(query_str=prompt) if self.completion_to_prompt: full_prompt = self.completion_to_prompt(full_prompt) elif self.system_prompt:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface/llama_index/llms/huggingface/base.py:398
Function 'chat' on line 398 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) @llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response = self.stream_complete(prompt, formatted=True, **kwargs)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface/llama_index/llms/huggingface/base.py:318
Function 'complete' on line 318 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: """Completion endpoint."""
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-bedrock/llama_index/llms/bedrock/base.py:354
Function 'chat' on line 354 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: prompt = self.messages_to_prompt(messages) completion_response = self.complete(prompt, formatted=True, **kwargs) return completion_response_to_chat_response(completion_response) def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: prompt = self.messages_to_prompt(messages) completion_response = self.stream_complete(prompt, formatted=True, **kwargs) return stream_completion_response_to_chat_response(completion_response)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:245
User input parameter 'messages' is directly passed to LLM API call 'self._client.chat.completions.create'. This is a high-confidence prompt injection vector.
messages = [message_to_ai21_message(message) for message in messages] response = self._client.chat.completions.create( messages=messages,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:342
User input parameter 'messages' is directly passed to LLM API call 'self._client.chat.create'. This is a high-confidence prompt injection vector.
system, messages = message_to_ai21_j2_message(messages) response = self._client.chat.create( system=system,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:413
User input parameter 'messages' is directly passed to LLM API call 'self._client.chat.completions.create'. This is a high-confidence prompt injection vector.
messages = [message_to_ai21_message(message) for message in messages] response = self._client.chat.completions.create( messages=messages,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:238
Function 'chat' on line 238 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: all_kwargs = self._get_all_kwargs(**kwargs) if self._is_j2_model(): return self._j2_chat(messages, **all_kwargs) messages = [message_to_ai21_message(message) for message in messages] response = self._client.chat.completions.create( messages=messages, stream=False, **all_kwargs,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:340
Function '_j2_chat' on line 340 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _j2_chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: system, messages = message_to_ai21_j2_message(messages) response = self._client.chat.create( system=system, messages=messages, stream=False, **kwargs, ) return ChatResponse( message=ChatMessage(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:405
Function 'stream_chat' on line 405 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: if self._is_j2_model(): raise ValueError("Stream chat is not supported for J2 models.") all_kwargs = self._get_all_kwargs(**kwargs) messages = [message_to_ai21_message(message) for message in messages] response = self._client.chat.completions.create( messages=messages, stream=True,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '_j2_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:340
Function '_j2_chat' on line 340 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return await astream_complete_fn(prompt, **kwargs) def _j2_chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: system, messages = message_to_ai21_j2_message(messages) response = self._client.chat.create( system=system,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:405
Function 'stream_chat' on line 405 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: if self._is_j2_model():
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:385
User input parameter 'messages' is directly passed to LLM API call 'current_llm.chat'. This is a high-confidence prompt injection vector.
current_llm = self._get_current_llm() return current_llm.chat(messages, **kwargs) except Exception as e:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:402
User input parameter 'messages' is directly passed to LLM API call 'current_llm.stream_chat'. This is a high-confidence prompt injection vector.
current_llm = self._get_current_llm() return current_llm.stream_chat(messages, **kwargs) except Exception as e:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:419
User input parameter 'prompt' is directly passed to LLM API call 'current_llm.complete'. This is a high-confidence prompt injection vector.
current_llm = self._get_current_llm() return current_llm.complete(prompt, formatted, **kwargs) except Exception as e:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:436
User input parameter 'prompt' is directly passed to LLM API call 'current_llm.stream_complete'. This is a high-confidence prompt injection vector.
current_llm = self._get_current_llm() return current_llm.stream_complete(prompt, formatted, **kwargs) except Exception as e:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:380
Function 'chat' on line 380 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat(self, messages: Sequence[ChatMessage], **kwargs: Any) -> ChatResponse: """Chat with the AI Gateway by delegating to the current LLM.""" while True: try: current_llm = self._get_current_llm() return current_llm.chat(messages, **kwargs) except Exception as e: # Try next LLM on failure logger.warning( f"It seems that the current LLM is not working with the AI Gateway. Error: {e}" )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:395
Function 'stream_chat' on line 395 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, messages: Sequence[ChatMessage], **kwargs: Any ) -> ChatResponseGen: """Stream chat with the AI Gateway by delegating to the current LLM.""" while True: try: current_llm = self._get_current_llm() return current_llm.stream_chat(messages, **kwargs) except Exception as e: # Try next LLM on failure logger.warning(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:412
Function 'complete' on line 412 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponse: """Complete a prompt using the AI Gateway by delegating to the current LLM.""" while True: try: current_llm = self._get_current_llm() return current_llm.complete(prompt, formatted, **kwargs) except Exception as e: # Try next LLM on failure logger.warning(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:429
Function 'stream_complete' on line 429 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_complete( self, prompt: str, formatted: bool = False, **kwargs: Any ) -> CompletionResponseGen: """Stream complete a prompt using the AI Gateway by delegating to the current LLM.""" while True: try: current_llm = self._get_current_llm() return current_llm.stream_complete(prompt, formatted, **kwargs) except Exception as e: # Try next LLM on failure logger.warning(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-palm/llama_index/llms/palm/base.py:145
User input parameter 'prompt' is directly passed to LLM API call 'palm.generate_text'. This is a high-confidence prompt injection vector.
""" completion = palm.generate_text( model=self.model_name,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:113
User input parameter 'prompt' is directly passed to LLM API call 'giga.chat'. This is a high-confidence prompt injection vector.
with GigaChat(**self._gigachat_kwargs) as giga: response = giga.chat( Chat(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:155
User input parameter 'messages' is directly passed to LLM API call 'giga.chat'. This is a high-confidence prompt injection vector.
with GigaChat(**self._gigachat_kwargs) as giga: response = giga.chat( Chat(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:148
Function 'chat' on line 148 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat( self, messages: Sequence[ChatMessage], **kwargs: Any, ) -> ChatResponse: """Get chat.""" with GigaChat(**self._gigachat_kwargs) as giga: response = giga.chat( Chat( model=self.model, messages=[
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'complete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:105
Function 'complete' on line 105 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_completion_callback() def complete( self, prompt: str, formatted: bool = False,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:148
Function 'chat' on line 148 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@llm_chat_callback() def chat( self, messages: Sequence[ChatMessage], **kwargs: Any,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Insecure tool function '_perform_request' executes dangerous operations
LLM07: Insecure Plugin Design HIGH
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-mondaydotcom/llama_index/readers/mondaydotcom/base.py:39
Tool function '_perform_request' on line 39 takes LLM output as a parameter and performs dangerous operations (http_request) without proper validation. Attackers can craft malicious LLM outputs to execute arbitrary commands, access files, or perform SQL injection.
data["values"] = list(map(self._parse_item_values, list(item["column_values"]))) return data def _perform_request(self, board_id) -> Dict[str, str]: headers = {"Authorization": self.api_key} query = """ query{ boards(ids: [%d]){ name,
Remediation
Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-oracleai/llama_index/readers/oracleai/base.py:198
Function 'load' on line 198 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def load(self) -> List[Document]: """Load data into Document objects...""" try: import oracledb except ImportError as e: raise ImportError( "Unable to import oracledb, please install with " "`pip install -U oracledb`." ) from e ncols = 0
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Direct execution of LLM output in 'read_file'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-oracleai/llama_index/readers/oracleai/base.py:108
Function 'read_file' on line 108 directly executes LLM-generated code using cursor.execute. This is extremely dangerous and allows arbitrary code execution.
@staticmethod def read_file(conn: Connection, file_path: str, params: dict) -> Document: """ Read a file using OracleReader Args:
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
Direct execution of LLM output in 'load'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-oracleai/llama_index/readers/oracleai/base.py:198
Function 'load' on line 198 directly executes LLM-generated code using cursor.execute. This is extremely dangerous and allows arbitrary code execution.
self.params = json.loads(json.dumps(params)) def load(self) -> List[Document]: """Load data into Document objects...""" try: import oracledb
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
Critical decision without oversight in 'load_data'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-file/llama_index/readers/file/image/base.py:75
Function 'load_data' on line 75 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self._pytesseract_model_kwargs = pytesseract_model_kwargs def load_data( self, file: Path, extra_info: Optional[Dict] = None,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'urls' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/zyte_web/base.py:162
User input parameter 'urls' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
docs = [] responses = asyncio.run(self.fetch_items(urls)) for response in responses:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/zyte_web/base.py:162
LLM output from 'asyncio.run' is used in 'run(' on line 162 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
docs = [] responses = asyncio.run(self.fetch_items(urls)) for response in responses: content = self._get_content(response)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
User input 'urls' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/async_web/base.py:140
User input parameter 'urls' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
""" return asyncio.run(self.aload_data(urls))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/async_web/base.py:140
LLM output from 'asyncio.run' is used in 'run(' on line 140 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" return asyncio.run(self.aload_data(urls))
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:70
User input parameter 'query' is directly passed to LLM API call 'smart_df.chat'. This is a high-confidence prompt injection vector.
smart_df = SmartDataframe(initial_df, config=self._pandasai_config) return smart_df.chat(query=query)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:79
User input parameter 'query' is directly passed to LLM API call 'self.run_pandas_ai'. This is a high-confidence prompt injection vector.
"""Parse file.""" result = self.run_pandas_ai( initial_df, query, is_conversational_answer=is_conversational_answer
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:62
Function 'run_pandas_ai' on line 62 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run_pandas_ai( self, initial_df: pd.DataFrame, query: str, is_conversational_answer: bool = False, ) -> Any: """Load dataframe.""" smart_df = SmartDataframe(initial_df, config=self._pandasai_config) return smart_df.chat(query=query) def load_data(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:72
Function 'load_data' on line 72 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def load_data( self, initial_df: pd.DataFrame, query: str, is_conversational_answer: bool = False, ) -> List[Document]: """Parse file.""" result = self.run_pandas_ai( initial_df, query, is_conversational_answer=is_conversational_answer ) if is_conversational_answer:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-dashscope/llama_index/readers/dashscope/base.py:367
LLM output from 'asyncio.run' is used in 'run(' on line 367 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: return asyncio.run(self.aload_data(file_path, extra_info)) except RuntimeError as e: if nest_asyncio_err in str(e):
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-dashscope/llama_index/readers/dashscope/base.py:431
LLM output from 'asyncio.run' is used in 'run(' on line 431 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: return asyncio.run(self.aget_json(file_path, extra_info)) except RuntimeError as e: if nest_asyncio_err in str(e):
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Critical decision without oversight in '_get_credentials'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/calendar/base.py:107
Function '_get_credentials' on line 107 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return results def _get_credentials(self) -> Any: """ Get valid user credentials from storage.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_get_credentials'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/sheets/base.py:180
Function '_get_credentials' on line 180 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return dataframes def _get_credentials(self) -> Any: """ Get valid user credentials from storage.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_get_credentials'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/chat/base.py:249
Function '_get_credentials' on line 249 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return all_msgs def _get_credentials(self) -> Any: """ Get valid user credentials from storage.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_get_credentials'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/drive/base.py:163
Function '_get_credentials' on line 163 makes critical security, data_modification decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return "GoogleDriveReader" def _get_credentials(self) -> Tuple[Credentials]: """ Authenticate with Google and save credentials. Download the service_account_key.json file with these instructions: https://cloud.google.com/iam/docs/keys-create-delete.
Remediation
Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_get_credentials'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/gmail/base.py:53
Function '_get_credentials' on line 53 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return results def _get_credentials(self) -> Any: """ Get valid user credentials from storage.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'extract_text_from_image'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-paddle-ocr/llama_index/readers/paddle_ocr/base.py:22
Function 'extract_text_from_image' on line 22 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self.ocr = PaddleOCR(use_angle_cls=use_angle_cls, lang=lang) def extract_text_from_image(self, image_data): """ Extract text from image data using PaddleOCR """
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/repository/base.py:420
LLM output variable 'blobs_and_paths' flows to 'self._loop.run_until_complete' on line 420 via direct flow. This creates a command_injection vulnerability.
documents = self._loop.run_until_complete( self._generate_documents( blobs_and_paths=blobs_and_paths,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/repository/base.py:486
LLM output variable 'blobs_and_paths' flows to 'self._loop.run_until_complete' on line 486 via direct flow. This creates a command_injection vulnerability.
documents = self._loop.run_until_complete( self._generate_documents( blobs_and_paths=blobs_and_paths,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/collaborators/base.py:102
Function 'load_data' on line 102 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def load_data( self, ) -> List[Document]: """ GitHub repository collaborators reader. Retrieves the list of collaborators in a GitHub repository and converts them to documents. Each collaborator is converted to a document by doing the following: - The text of the document is the login.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'load_data'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/collaborators/base.py:102
Function 'load_data' on line 102 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self._github_client = github_client def load_data( self, ) -> List[Document]: """
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/issues/base.py:120
Function 'load_data' on line 120 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def load_data( self, state: Optional[IssueState] = IssueState.OPEN, labelFilters: Optional[List[Tuple[str, FilterType]]] = None, ) -> List[Document]: """ Load issues from a repository and converts them to documents. Each issue is converted to a document by doing the following: - The text of the document is the concatenation of the title and the body of the issue.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-nougat-ocr/llama_index/readers/nougat_ocr/base.py:15
LLM output from 'subprocess.run' is used in 'subprocess.' on line 15 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: result = subprocess.run(cli_command, capture_output=True, text=True) result.check_returncode() return result.stdout
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Direct execution of LLM-generated code in 'nougat_ocr'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-nougat-ocr/llama_index/readers/nougat_ocr/base.py:11
Function 'nougat_ocr' on line 11 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
from llama_index.core.schema import Document class PDFNougatOCR(BaseReader): def nougat_ocr(self, file_path: Path) -> str: cli_command = ["nougat", "--markdown", "pdf", str(file_path), "--out", "output"] try: result = subprocess.run(cli_command, capture_output=True, text=True) result.check_returncode()
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Direct execution of LLM output in 'nougat_ocr'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-nougat-ocr/llama_index/readers/nougat_ocr/base.py:11
Function 'nougat_ocr' on line 11 directly executes LLM-generated code using subprocess.run. This is extremely dangerous and allows arbitrary code execution.
class PDFNougatOCR(BaseReader): def nougat_ocr(self, file_path: Path) -> str: cli_command = ["nougat", "--markdown", "pdf", str(file_path), "--out", "output"] try:
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-opendal/llama_index/readers/opendal/base.py:54
LLM output from 'asyncio.run' is used in 'run(' on line 54 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if not self.path.endswith("/"): asyncio.run(download_file_from_opendal(self.op, temp_dir, self.path)) else: asyncio.run(download_dir_from_opendal(self.op, temp_dir, self.path))
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-jaguar/llama_index/readers/jaguar/base.py:158
LLM output from 'self.run' is used in 'run(' on line 158 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
jarr = self.run(q) if jarr is None: return []
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-jaguar/llama_index/readers/jaguar/base.py:207
LLM output from 'self.run' is used in 'run(' on line 207 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
jarr = self.run(q) if jarr is None: return []
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
User input 'contexts_list' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/evaluation/llama-index-evaluation-tonic-validate/llama_index/evaluation/tonic_validate/tonic_validate_evaluator.py:156
User input parameter 'contexts_list' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
""" return asyncio.run( self.aevaluate_run(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/evaluation/llama-index-evaluation-tonic-validate/llama_index/evaluation/tonic_validate/tonic_validate_evaluator.py:156
LLM output from 'asyncio.run' is used in 'run(' on line 156 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" return asyncio.run( self.aevaluate_run( queries=queries,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
User input 'query_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/response_synthesizers/llama-index-response-synthesizers-google/llama_index/response_synthesizers/google/base.py:154
User input parameter 'query_str' is directly passed to LLM API call 'genaix.generate_answer'. This is a high-confidence prompt injection vector.
client = cast(genai.GenerativeServiceClient, self._client) response = genaix.generate_answer( prompt=query_str,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/response_synthesizers/llama-index-response-synthesizers-google/llama_index/response_synthesizers/google/base.py:128
Function 'get_response' on line 128 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get_response( self, query_str: str, text_chunks: Sequence[str], **response_kwargs: Any, ) -> SynthesizedResponse: """ Generate a grounded response on provided passages. Args: query_str: The user's question.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/program/llama-index-program-evaporate/llama_index/program/evaporate/extractor.py:118
Function 'identify_fields' on line 118 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def identify_fields( self, nodes: List[BaseNode], topic: str, fields_top_k: int = 5 ) -> List: """ Identify fields from nodes. Will extract fields independently per node, and then return the top k fields. Args: nodes (List[BaseNode]): List of nodes to extract fields from.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/program/llama-index-program-evaporate/llama_index/program/evaporate/extractor.py:240
Function 'extract_datapoints_with_fn' on line 240 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def extract_datapoints_with_fn( self, nodes: List[BaseNode], topic: str, sample_k: int = 5, fields_top_k: int = 5, ) -> List[Dict]: """Extract datapoints from a list of nodes, given a topic.""" idxs = list(range(len(nodes))) sample_k = min(sample_k, len(nodes)) subset_idxs = random.sample(idxs, sample_k)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/program/llama-index-program-lmformatenforcer/llama_index/program/lmformatenforcer/base.py:103
LLM output variable 'text' flows to 'self.output_cls.parse_raw' on line 103 via direct flow. This creates a sql_injection vulnerability.
text = output.text return self.output_cls.parse_raw(text)
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/storage/chat_store/llama-index-storage-chat-store-redis/llama_index/storage/chat_store/redis/base.py:287
LLM output from 'asyncio.run' is used in 'run(' on line 287 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: asyncio.run(sentinel_client.execute_command("ping")) except redis.exceptions.AuthenticationError: exception_info = sys.exc_info()
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Critical decision without oversight in 'delete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/storage/kvstore/llama-index-storage-kvstore-elasticsearch/llama_index/storage/kvstore/elasticsearch/base.py:303
Function 'delete' on line 303 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return result def delete(self, key: str, collection: str = DEFAULT_COLLECTION) -> bool: """ Delete a value from the store.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/voice_agents/llama-index-voice-agents-openai/llama_index/voice_agents/openai/audio_interface.py:119
LLM output from 'asyncio.run' is used in 'run(' on line 119 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if self.on_audio_callback: asyncio.run(self.on_audio_callback(mic_chunk)) else: time.sleep(0.05)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/voice_agents/llama-index-voice-agents-openai/llama_index/voice_agents/openai/audio_interface.py:113
Function 'output' on line 113 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def output(self) -> None: """Process microphone audio and call back when new audio is ready.""" while not self._stop_event.is_set(): if not self.mic_queue.empty(): mic_chunk = self.mic_queue.get() if self.on_audio_callback: asyncio.run(self.on_audio_callback(mic_chunk)) else: time.sleep(0.05) def receive(self, data: bytes, *args, **kwargs) -> None:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/neo4j_property_graph.py:650
LLM output from 'session.run' is used in 'run(' on line 650 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: data = session.run( neo4j.Query(text=query, timeout=self._timeout), param_map )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Critical decision without oversight in 'structured_query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/neo4j_property_graph.py:612
Function 'structured_query' on line 612 makes critical financial decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return triples def structured_query( self, query: str, param_map: Optional[Dict[str, Any]] = None,
Remediation
Critical financial decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:290
User input parameter 'query' is directly passed to LLM API call 'session.run'. This is a high-confidence prompt injection vector.
with self._driver.session(database=self._database) as session: data = session.run( neo4j.Query(text=query, timeout=self._timeout), param_map
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:290
LLM output from 'session.run' is used in 'run(' on line 290 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: data = session.run( neo4j.Query(text=query, timeout=self._timeout), param_map )
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:176
LLM output from 'session.run' is used in 'run(' on line 176 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: session.run( ( "MATCH (n1:{})-[r:{}]->(n2:{}) WHERE n1.id = $subj AND n2.id"
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:186
LLM output from 'session.run' is used in 'run(' on line 186 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: session.run( "MATCH (n:%s) WHERE n.id = $entity DELETE n" % self.node_label, {"entity": entity},
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:193
LLM output from 'session.run' is used in 'run(' on line 193 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: is_exists_result = session.run( "MATCH (n1:%s)--() WHERE n1.id = $entity RETURN count(*)" % (self.node_label),
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Critical decision without oversight in 'query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:260
Function 'query' on line 260 makes critical financial decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return self.schema def query(self, query: str, param_map: Optional[Dict[str, Any]] = None) -> Any: param_map = param_map or {} try: data, _, _ = self._driver.execute_query(
Remediation
Critical financial decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'delete_entity'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:184
Function 'delete_entity' on line 184 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def delete_entity(entity: str) -> None: with self._driver.session(database=self._database) as session: session.run( "MATCH (n:%s) WHERE n.id = $entity DELETE n" % self.node_label,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/kg_base.py:89
User input parameter 'query' is directly passed to LLM API call 'session.run'. This is a high-confidence prompt injection vector.
with self._driver.session(database=self._database) as session: result = session.run(query, param_map) return [record.data() for record in result]
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/kg_base.py:89
LLM output from 'session.run' is used in 'run(' on line 89 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: result = session.run(query, param_map) return [record.data() for record in result]
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/kg_base.py:86
Function 'query' on line 86 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query(self, query: str, param_map: Optional[Dict[str, Any]] = {}) -> Any: """Execute a Cypher query.""" with self._driver.session(database=self._database) as session: result = session.run(query, param_map) return [record.data() for record in result] def get(self, subj: str) -> List[List[str]]: """Get triplets.""" query = f""" MATCH (n1:{self.node_label})-[r]->(n2:{self.node_label}) WHERE n1.id = $subj
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/property_graph.py:648
Function 'structured_query' on line 648 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def structured_query( self, query: str, param_map: Optional[Dict[str, Any]] = None ) -> Any: param_map = param_map or {} with self._driver.session(database=self._database) as session: result = session.run(query, param_map) full_result = [d.data() for d in result] if self.sanitize_query_output: return [value_sanitize(el) for el in full_result]
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'delete'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/graph.py:185
Function 'delete' on line 185 makes critical data_modification decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return dict(rel_map) def delete(self, subj: str, rel: str, obj: str) -> None: """Delete triplet.""" with Session(self._engine) as session: stmt = delete(self._rel_model).where(
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:143
Function 'get' on line 143 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get( self, properties: Optional[dict] = None, ids: Optional[List[str]] = None, ) -> List[LabelledNode]: """Get nodes.""" with Session(self._engine) as session: query = session.query(self._node_model) if properties: for key, value in properties.items(): query = query.filter(self._node_model.properties[key] == value)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:178
Function 'get_triplets' on line 178 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get_triplets( self, entity_names: Optional[List[str]] = None, relation_names: Optional[List[str]] = None, properties: Optional[dict] = None, ids: Optional[List[str]] = None, ) -> List[Triplet]: """Get triplets.""" # if nothing is passed, return empty list if not ids and not properties and not entity_names and not relation_names: return []
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:364
Function 'delete' on line 364 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def delete( self, entity_names: Optional[List[str]] = None, relation_names: Optional[List[str]] = None, properties: Optional[dict] = None, ids: Optional[List[str]] = None, ) -> None: """Delete matching data.""" with Session(self._engine) as session: # 1. Delete relations relation_stmt = delete(self._relation_model)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'get'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:143
Function 'get' on line 143 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return NodeModel, RelationModel def get( self, properties: Optional[dict] = None, ids: Optional[List[str]] = None,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'get_triplets'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:178
Function 'get_triplets' on line 178 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return nodes def get_triplets( self, entity_names: Optional[List[str]] = None, relation_names: Optional[List[str]] = None,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'delete'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:364
Function 'delete' on line 364 makes critical data_modification decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
session.commit() def delete( self, entity_names: Optional[List[str]] = None, relation_names: Optional[List[str]] = None,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'vector_query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:423
Function 'vector_query' on line 423 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
raise NotImplementedError("TiDB does not support cypher queries.") def vector_query( self, query: VectorStoreQuery, **kwargs: Any ) -> Tuple[List[LabelledNode], List[float]]: """Query the graph store with a vector store query."""
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:84
LLM output from 'session.run' is used in 'run(' on line 84 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: session.run( ( "MATCH (n1:{})-[r:{}]->(n2:{}) WHERE n1.id = $subj AND n2.id"
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:94
LLM output from 'session.run' is used in 'run(' on line 94 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: session.run( "MATCH (n:%s) WHERE n.id = $entity DETACH DELETE n" % self.node_label,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Critical decision without oversight in 'delete_rel'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:82
Function 'delete_rel' on line 82 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
"""Delete triplet from the graph.""" def delete_rel(subj: str, obj: str, rel: str) -> None: with self._driver.session(database=self._database) as session: session.run( (
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'delete_entity'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:92
Function 'delete_entity' on line 92 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def delete_entity(entity: str) -> None: with self._driver.session(database=self._database) as session: session.run( "MATCH (n:%s) WHERE n.id = $entity DETACH DELETE n"
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model artifacts exposed without protection in 'create_and_save_openvino_model'
LLM10: Model Theft HIGH
/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-openvino-rerank/llama_index/postprocessor/openvino_rerank/base.py:112
Function 'create_and_save_openvino_model' on line 112 exposes huggingface model artifacts without proper access control. This allows unauthorized users to download the full model, stealing intellectual property and training data.
@staticmethod def create_and_save_openvino_model( model_name_or_path: str, output_path: str, export_kwargs: Optional[dict] = None,
Remediation
Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs
User input 'messages' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-rankgpt-rerank/llama_index/postprocessor/rankgpt_rerank/base.py:162
User input parameter 'messages' is directly passed to LLM API call 'self.llm.chat'. This is a high-confidence prompt injection vector.
self._ensure_llm() return self.llm.chat(messages)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-rankgpt-rerank/llama_index/postprocessor/rankgpt_rerank/base.py:66
Function '_postprocess_nodes' on line 66 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _postprocess_nodes( self, nodes: List[NodeWithScore], query_bundle: Optional[QueryBundle] = None, ) -> List[NodeWithScore]: dispatcher.event( ReRankStartEvent( query=query_bundle, nodes=nodes, top_n=self.top_n, model_name=self.llm.metadata.model_name,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-rankgpt-rerank/llama_index/postprocessor/rankgpt_rerank/base.py:160
Function 'run_llm' on line 160 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run_llm(self, messages: Sequence[ChatMessage]) -> ChatResponse: self._ensure_llm() return self.llm.chat(messages) def _clean_response(self, response: str) -> str: new_response = "" for c in response: if not c.isdigit(): new_response += " " else: new_response += c
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-ibm/llama_index/postprocessor/ibm/base.py:258
User input parameter 'query_bundle' is directly passed to LLM API call 'self._watsonx_rerank.generate'. This is a high-confidence prompt injection vector.
] results = self._watsonx_rerank.generate( query=query_bundle.query_str,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Critical decision without oversight in '_ensure_run'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/callbacks/llama-index-callbacks-wandb/llama_index/callbacks/wandb/base.py:536
Function '_ensure_run' on line 536 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return start_time_in_ms, end_time_in_ms def _ensure_run(self, should_print_url: bool = False) -> None: """ Ensures an active W&B run exists.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'documents' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-alibabacloud-aisearch/llama_index/node_parser/alibabacloud_aisearch/base.py:102
User input parameter 'documents' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
) -> List[BaseNode]: return asyncio.get_event_loop().run_until_complete( self._aparse_nodes(documents, show_progress, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Critical decision without oversight in 'build_localised_splits'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-slide/llama_index/node_parser/slide/base.py:203
Function 'build_localised_splits' on line 203 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return chunks def build_localised_splits( self, chunks: List[str], ) -> List[Dict[str, str]]:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'proposition_transfer'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-topic/llama_index/node_parser/topic/base.py:129
Function 'proposition_transfer' on line 129 makes critical financial, security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return re.split(r"\n\s*\n", text) def proposition_transfer(self, paragraph: str) -> List[str]: """ Convert a paragraph into a list of self-sustaining statements using LLM. """
Remediation
Critical financial, security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'is_same_topic_llm'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-topic/llama_index/node_parser/topic/base.py:154
Function 'is_same_topic_llm' on line 154 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return [] def is_same_topic_llm(self, current_chunk: List[str], new_proposition: str) -> bool: """ Use zero-shot classification with LLM to determine if the new proposition belongs to the same topic. """
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-clarifai/llama_index/embeddings/clarifai/base.py:94
Function '_embed' on line 94 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _embed(self, sentences: List[str]) -> List[List[float]]: """Embed sentences.""" try: from clarifai.client.input import Inputs except ImportError: raise ImportError("ClarifaiEmbedding requires `pip install clarifai`.") embeddings = [] try: for i in range(0, len(sentences), self.embed_batch_size): batch = sentences[i : i + self.embed_batch_size]
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-google/llama_index/embeddings/google/palm.py:57
Function '_get_query_embedding' on line 57 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> List[float]: """Get query embedding.""" return self._model.generate_embeddings(model=self.model_name, text=query)[ "embedding" ] async def _aget_query_embedding(self, query: str) -> List[float]: """The asynchronous version of _get_query_embedding.""" return await self._model.aget_embedding(query) def _get_text_embedding(self, text: str) -> List[float]:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-google/llama_index/embeddings/google/gemini.py:69
Function '_get_query_embedding' on line 69 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> List[float]: """Get query embedding.""" return self._model.embed_content( model=self.model_name, content=query, title=self.title, task_type=self.task_type, )["embedding"] def _get_text_embedding(self, text: str) -> List[float]: """Get text embedding."""
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-langchain/llama_index/embeddings/langchain/base.py:62
Function '_get_query_embedding' on line 62 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> List[float]: """Get query embedding.""" return self._langchain_embedding.embed_query(query) async def _aget_query_embedding(self, query: str) -> List[float]: try: return await self._langchain_embedding.aembed_query(query) except NotImplementedError: # Warn the user that sync is being used self._async_not_implemented_warn_once() return self._get_query_embedding(query)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '__init__'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-upstage/llama_index/embeddings/upstage/base.py:63
Function '__init__' on line 63 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def __init__( self, model: str = "embedding", embed_batch_size: int = 100,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model artifacts exposed without protection in 'create_and_save_optimum_model'
LLM10: Model Theft HIGH
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-optimum/llama_index/embeddings/huggingface_optimum/base.py:87
Function 'create_and_save_optimum_model' on line 87 exposes huggingface model artifacts without proper access control. This allows unauthorized users to download the full model, stealing intellectual property and training data.
@classmethod def create_and_save_optimum_model( cls, model_name_or_path: str, output_path: str,
Remediation
Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-fastembed/llama_index/embeddings/fastembed/base.py:120
Function '_get_query_embedding' on line 120 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> List[float]: query_embeddings: list[np.ndarray] = list(self._model.query_embed(query)) return query_embeddings[0].tolist() async def _aget_query_embedding(self, query: str) -> List[float]: return await asyncio.to_thread(self._get_query_embedding, query)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-gemini/llama_index/embeddings/gemini/base.py:94
Function '_get_query_embedding' on line 94 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> List[float]: """Get query embedding.""" return self._model.embed_content( model=self.model_name, content=query, title=self.title, task_type=self.task_type, request_options=self._request_options, )["embedding"] def _get_text_embedding(self, text: str) -> List[float]:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-heroku/examples/basic_usage.py:7
Function 'main' on line 7 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def main(): """Demonstrate basic usage of Heroku embeddings.""" # Initialize the embedding model. This assumes the presence of EMBEDDING_MODEL_ID, # EMBEDDING_KEY, and EMBEDDING_URL in the host environment embedding_model = HerokuEmbedding() # Example texts to embed texts = [ "Hello, world!", "This is a test document about artificial intelligence.",
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous code_execution sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-nomic/llama_index/embeddings/nomic/base.py:200
LLM output from 'self._model.eval' is used in 'eval(' on line 200 without sanitization. This creates a code_execution vulnerability where malicious LLM output can compromise application security.
self.dimensionality = dimensionality self._model.eval() def _embed(self, sentences: List[str]) -> List[List[float]]:
Remediation
Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required 4. Use allowlists for permitted operations 5. Consider structured output formats (JSON) instead
Direct execution of LLM-generated code in '__init__'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-nomic/llama_index/embeddings/nomic/base.py:165
Function '__init__' on line 165 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
_model: Any = PrivateAttr() _tokenizer: Any = PrivateAttr() _device: str = PrivateAttr() def __init__( self, model_name: Optional[str] = None, tokenizer_name: Optional[str] = None, pooling: Union[str, Pooling] = "cls", max_length: Optional[int] = None,
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Direct execution of LLM output in '__init__'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-nomic/llama_index/embeddings/nomic/base.py:165
Function '__init__' on line 165 directly executes LLM-generated code using eval(. This is extremely dangerous and allows arbitrary code execution.
_device: str = PrivateAttr() def __init__( self, model_name: Optional[str] = None, tokenizer_name: Optional[str] = None,
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:178
User input parameter 'query' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
""" return asyncio.run(self._aget_query_embedding(query))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'text' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:186
User input parameter 'text' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
""" return asyncio.run(self._aget_text_embedding(text))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:178
LLM output from 'asyncio.run' is used in 'run(' on line 178 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" return asyncio.run(self._aget_query_embedding(query)) def _get_text_embedding(self, text: str) -> Embedding:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:186
LLM output from 'asyncio.run' is used in 'run(' on line 186 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" return asyncio.run(self._aget_text_embedding(text)) def _get_text_embeddings(self, texts: List[str]) -> List[Embedding]:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:172
Function '_get_query_embedding' on line 172 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> Embedding: """ Embed the input query synchronously. NOTE: a new asyncio event loop is created internally for this. """ return asyncio.run(self._aget_query_embedding(query)) def _get_text_embedding(self, text: str) -> Embedding: """ Embed the text query synchronously.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-isaacus/examples/basic_usage.py:8
Function 'main' on line 8 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def main(): """Demonstrate basic usage of Isaacus embeddings.""" # Initialize the embedding model. This assumes the presence of ISAACUS_API_KEY # in the host environment embedding_model = IsaacusEmbedding() # Example legal texts to embed texts = [ "The parties hereby agree to the terms and conditions set forth in this contract.", "This agreement shall be governed by the laws of the State of California.",
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'main'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-isaacus/examples/basic_usage.py:8
Function 'main' on line 8 makes critical legal decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
def main(): """Demonstrate basic usage of Isaacus embeddings.""" # Initialize the embedding model. This assumes the presence of ISAACUS_API_KEY
Remediation
Critical legal decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:519
User input parameter 'query' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
""" return asyncio.run(self._aget_query_embedding(query))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'text' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:527
User input parameter 'text' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
""" return asyncio.run(self._aget_text_embedding(text))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:519
LLM output from 'asyncio.run' is used in 'run(' on line 519 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" return asyncio.run(self._aget_query_embedding(query)) def _get_text_embedding(self, text: str) -> Embedding:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:527
LLM output from 'asyncio.run' is used in 'run(' on line 527 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" return asyncio.run(self._aget_text_embedding(text)) def _get_text_embeddings(self, texts: List[str]) -> List[Embedding]:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:202
Function '_embed_with_retry' on line 202 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _embed_with_retry( self, inputs: List[Union[str, BytesIO]], prompt_name: Optional[str] = None, ) -> List[List[float]]: """ Generates embeddings with retry mechanism. Args: inputs: List of texts or images to embed prompt_name: Optional prompt type
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:513
Function '_get_query_embedding' on line 513 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> Embedding: """ Embed the input query synchronously. NOTE: a new asyncio event loop is created internally for this. """ return asyncio.run(self._aget_query_embedding(query)) def _get_text_embedding(self, text: str) -> Embedding: """ Embed the text query synchronously.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-vertex/llama_index/embeddings/vertex/base.py:214
Function '_get_query_embedding' on line 214 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> Embedding: texts = _get_embedding_request( texts=[query], embed_mode=self.embed_mode, is_query=True, model_name=self.model_name, ) embeddings = self._model.get_embeddings(texts, **self.additional_kwargs) return embeddings[0].values async def _aget_query_embedding(self, query: str) -> Embedding:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Unsafe data loading with torch.load in training context
LLM03: Training Data Poisoning HIGH
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/utils.py:50
Function 'load' uses torch.load on line 50. Pickle-based deserialization can execute arbitrary code, allowing attackers to inject malicious code through poisoned training data or models.
model.load_state_dict( torch.load( os.path.join(input_path, "pytorch_model.bin"), map_location=torch.device("cpu"),
Remediation
Secure Data Loading: 1. Use safetensors instead of pickle for model weights 2. For torch.load, use weights_only=True 3. Verify checksums/signatures before loading 4. Only load data from trusted, verified sources 5. Implement content scanning before deserialization 6. Consider using JSON/YAML for configuration data
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/utils.py:44
Function 'load' on line 44 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def load(cls, input_path: str) -> "BaseAdapter": """Load model.""" with open(os.path.join(input_path, "config.json")) as fIn: config = json.load(fIn) model = cls(**config) model.load_state_dict( torch.load( os.path.join(input_path, "pytorch_model.bin"), map_location=torch.device("cpu"), ) )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model artifacts exposed without protection in 'save'
LLM10: Model Theft HIGH
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/utils.py:36
Function 'save' on line 36 exposes pytorch model artifacts without proper access control. This allows unauthorized users to download the full model, stealing intellectual property and training data.
"""Forward pass.""" def save(self, output_path: str) -> None: """Save model.""" os.makedirs(output_path, exist_ok=True) with open(os.path.join(output_path, "config.json"), "w") as fOut:
Remediation
Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/base.py:85
Function '_get_query_embedding' on line 85 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> List[float]: """Get query embedding.""" import torch query_embedding = self._base_embed_model._get_query_embedding(query) if self._transform_query: query_embedding_t = torch.tensor(query_embedding).to(self._target_device) query_embedding_t = self._adapter.forward(query_embedding_t) query_embedding = query_embedding_t.tolist() return query_embedding
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-ibm/llama_index/embeddings/ibm/base.py:231
Function '_get_query_embedding' on line 231 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> List[float]: """Get query embedding.""" return self._embed_model.embed_query(text=query, params=self.params) def _get_text_embedding(self, text: str) -> List[float]: """Get text embedding.""" return self._get_query_embedding(query=text) def _get_text_embeddings(self, texts: List[str]) -> List[List[float]]: """Get text embeddings.""" return self._embed_model.embed_documents(texts=texts, params=self.params)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model artifacts exposed without protection in 'create_and_save_openvino_model'
LLM10: Model Theft HIGH
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-openvino/llama_index/embeddings/huggingface_openvino/base.py:148
Function 'create_and_save_openvino_model' on line 148 exposes huggingface model artifacts without proper access control. This allows unauthorized users to download the full model, stealing intellectual property and training data.
@staticmethod def create_and_save_openvino_model( model_name_or_path: str, output_path: str, export_kwargs: Optional[dict] = None,
Remediation
Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs
Model artifacts exposed without protection in 'create_and_save_openvino_model'
LLM10: Model Theft HIGH
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-openvino/llama_index/embeddings/huggingface_openvino/base.py:271
Function 'create_and_save_openvino_model' on line 271 exposes huggingface model artifacts without proper access control. This allows unauthorized users to download the full model, stealing intellectual property and training data.
@staticmethod def create_and_save_openvino_model( model_name_or_path: str, output_path: str, export_kwargs: Optional[dict] = None,
Remediation
Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-clip/llama_index/embeddings/clip/base.py:98
Function '_get_text_embeddings' on line 98 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_text_embeddings(self, texts: List[str]) -> List[Embedding]: results = [] for text in texts: try: import clip except ImportError: raise ImportError( "ClipEmbedding requires `pip install git+https://github.com/openai/CLIP.git` and torch." ) text_embedding = self._model.encode_text( clip.tokenize(text).to(self._device)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'text' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-openai/llama_index/tools/openai/image_generation/base.py:122
User input parameter 'text' is directly passed to LLM API call 'self.client.images.generate'. This is a high-confidence prompt injection vector.
response = self.client.images.generate( prompt=text,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:68
User input parameter 'query' is directly passed to LLM API call 'self.run'. This is a high-confidence prompt injection vector.
try: return self.run(query, fetch, **kwargs) except Exception as e:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:319
LLM output from 'self.run' is used in 'run(' on line 319 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
tables_data = self.run(tables_query, fetch="all") # Fetch filtered column details
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:328
LLM output from 'self.run' is used in 'run(' on line 328 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
columns_data = self.run(columns_query, fetch="all") # Fetch filtered index details
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:337
LLM output from 'self.run' is used in 'run(' on line 337 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
indexes_data = self.run(indexes_query, fetch="all") return tables_data, columns_data, indexes_data
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:595
LLM output from 'db.run' is used in 'run(' on line 595 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
) -> Optional[str]: result = db.run( f"""SELECT comment FROM system_schema.tables
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:622
LLM output from 'db.run' is used in 'run(' on line 622 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
cluster_info = [] results = db.run( f"""SELECT column_name, type, kind, clustering_order, position FROM system_schema.columns
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:662
LLM output from 'db.run' is used in 'run(' on line 662 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
indexes = [] results = db.run( f"""SELECT index_name, kind, options FROM system_schema.indexes
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:68
LLM output from 'self.run' is used in 'run(' on line 68 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: return self.run(query, fetch, **kwargs) except Exception as e: return str(e)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:113
LLM output from 'self.run' is used in 'run(' on line 113 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
result = self.run(query, fetch="all") return "\n".join(str(row) for row in result) except Exception as e:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:60
Function 'run_no_throw' on line 60 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run_no_throw( self, query: str, fetch: str = "all", **kwargs: Any, ) -> Union[str, Sequence[Dict[str, Any]], ResultSet]: """Execute a CQL query and return the results.""" try: return self.run(query, fetch, **kwargs) except Exception as e: return str(e)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/base.py:41
User input parameter 'query' is directly passed to LLM API call 'self.db.run_no_throw'. This is a high-confidence prompt injection vector.
documents = [] result = self.db.run_no_throw(query, fetch="Cursor") for row in result:
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/base.py:29
Function 'cassandra_db_query' on line 29 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def cassandra_db_query(self, query: str) -> List[Document]: """ Execute a CQL query and return the results as a list of Documents. Args: query (str): A CQL query to execute. Returns: List[Document]: A list of Document objects, each containing data from a row. """
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-waii/llama_index/tools/waii/base.py:57
LLM output variable 'run_result' flows to 'run_result.to_pandas_df' on line 57 via direct flow. This creates a command_injection vulnerability.
self._try_display(run_result.to_pandas_df()) # create documents based on returned rows
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-waii/llama_index/tools/waii/base.py:82
LLM output variable 'query' flows to 'self._run_query' on line 82 via direct flow. This creates a command_injection vulnerability.
return self._run_query(query, False) def _get_summarization(self, original_ask: str, documents) -> Any:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-waii/llama_index/tools/waii/base.py:111
LLM output variable 'query' flows to 'self._run_query' on line 111 via direct flow. This creates a command_injection vulnerability.
return self._run_query(query, True) def generate_query_only(self, ask: str) -> str:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-code-interpreter/llama_index/tools/code_interpreter/base.py:34
LLM output from 'subprocess.run' is used in 'subprocess.' on line 34 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
""" result = subprocess.run([sys.executable, "-c", code], capture_output=True) return f"StdOut:\n{result.stdout}\nStdErr:\n{result.stderr}"
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Direct execution of LLM-generated code in 'code_interpreter'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-code-interpreter/llama_index/tools/code_interpreter/base.py:21
Function 'code_interpreter' on line 21 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
""" spec_functions = ["code_interpreter"] def code_interpreter(self, code: str): """ A function to execute python code, and return the stdout and stderr. You should import any libraries that you wish to use. You have access to any libraries the user has installed.
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Critical decision without oversight in 'code_interpreter'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-code-interpreter/llama_index/tools/code_interpreter/base.py:21
Function 'code_interpreter' on line 21 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
spec_functions = ["code_interpreter"] def code_interpreter(self, code: str): """ A function to execute python code, and return the stdout and stderr.
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'message' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-slack/llama_index/tools/slack/base.py:54
User input parameter 'message' is directly passed to LLM API call 'slack_client.chat_postMessage'. This is a high-confidence prompt injection vector.
try: msg_result = slack_client.chat_postMessage( channel=channel_id,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-slack/llama_index/tools/slack/base.py:46
Function 'send_message' on line 46 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def send_message( self, channel_id: str, message: str, ) -> None: """Send a message to a channel given the channel ID.""" slack_client = self.reader._client try: msg_result = slack_client.chat_postMessage( channel=channel_id, text=message,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-mcp/llama_index/tools/mcp/utils.py:110
LLM output from 'workflow.run' is used in 'run(' on line 110 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
elif isinstance(run_args, BaseModel): handler = workflow.run(**run_args.model_dump()) elif isinstance(run_args, dict): start_event = StartEventCLS.model_validate(run_args)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-mcp/llama_index/tools/mcp/utils.py:113
LLM output from 'workflow.run' is used in 'run(' on line 113 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
start_event = StartEventCLS.model_validate(run_args) handler = workflow.run(start_event=start_event) else: raise ValueError(f"Invalid start event type: {type(run_args)}")
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-mcp/llama_index/tools/mcp/base.py:230
LLM output from 'asyncio.run' is used in 'run(' on line 230 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
) return asyncio.run(func_async(*args, **kwargs)) return patched_sync
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
User input 'neo4j_query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:89
User input parameter 'neo4j_query' is directly passed to LLM API call 'session.run'. This is a high-confidence prompt injection vector.
with self.graph_store.client.session() as session: result = session.run(neo4j_query, params) output = [r.values() for r in result]
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'question' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:148
User input parameter 'question' is directly passed to LLM API call 'self.run_request'. This is a high-confidence prompt injection vector.
print("Retrying") return self.run_request( question,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output flows to command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:148
LLM output variable 'cypher' flows to 'self.run_request' on line 148 via direct flow. This creates a command_injection vulnerability.
print("Retrying") return self.run_request( question, [
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:74
Function 'query_graph_db' on line 74 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query_graph_db(self, neo4j_query, params=None): """ Queries the Neo4j database. Args: neo4j_query (str): The Cypher query to be executed. params (dict, optional): Parameters for the Cypher query. Defaults to None. Returns: list: The query results.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'construct_cypher_query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:94
Function 'construct_cypher_query' on line 94 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return output def construct_cypher_query(self, question, history=None): """ Constructs a Cypher query based on a given question and history.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_get_credentials'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-google/llama_index/tools/google/calendar/base.py:121
Function '_get_credentials' on line 121 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return results def _get_credentials(self) -> Any: """ Get valid user credentials from storage.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in '_get_credentials'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-google/llama_index/tools/google/gmail/base.py:51
Function '_get_credentials' on line 51 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return self.search_messages(query="") def _get_credentials(self) -> Any: """ Get valid user credentials from storage.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Insecure tool function 'list_actions' executes dangerous operations
LLM07: Insecure Plugin Design HIGH
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-zapier/llama_index/tools/zapier/base.py:59
Tool function 'list_actions' on line 59 takes LLM output as a parameter and performs dangerous operations (http_request) without proper validation. Attackers can craft malicious LLM outputs to execute arbitrary commands, access files, or perform SQL injection.
""" setattr(self, action_name, function_action) self.spec_functions.append(action_name) def list_actions(self): response = requests.get( "https://nla.zapier.com/api/v1/dynamic/exposed/", headers=self._headers ) return response.text
Remediation
Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations
User input 'text' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-elevenlabs/llama_index/tools/elevenlabs/base.py:102
User input parameter 'text' is directly passed to LLM API call 'client.generate'. This is a high-confidence prompt injection vector.
# Generate audio audio = client.generate( text=text, voice=voice_id, voice_settings=voice_settings, model=model_id
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-text-to-image/llama_index/tools/text_to_image/base.py:35
User input parameter 'prompt' is directly passed to LLM API call 'openai.Image.create'. This is a high-confidence prompt injection vector.
try: response = openai.Image.create(prompt=prompt, n=n, size=size) return [image["url"] for image in response["data"]]
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Critical decision without oversight in 'generate_images'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-text-to-image/llama_index/tools/text_to_image/base.py:20
Function 'generate_images' on line 20 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
openai.api_key = api_key def generate_images( self, prompt: str, n: Optional[int] = 1, size: Optional[str] = "256x256" ) -> List[str]: """
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:157
LLM output variable 'response' flows to 'extract_output_from_stream' on line 157 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error executing code: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:214
LLM output variable 'response' flows to 'extract_output_from_stream' on line 214 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error executing command: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:262
LLM output variable 'response' flows to 'extract_output_from_stream' on line 262 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error reading files: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:310
LLM output variable 'response' flows to 'extract_output_from_stream' on line 310 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error listing files: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:358
LLM output variable 'response' flows to 'extract_output_from_stream' on line 358 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error deleting files: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:406
LLM output variable 'response' flows to 'extract_output_from_stream' on line 406 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error writing files: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:454
LLM output variable 'response' flows to 'extract_output_from_stream' on line 454 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error starting command: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:502
LLM output variable 'response' flows to 'extract_output_from_stream' on line 502 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error getting task status: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:550
LLM output variable 'response' flows to 'extract_output_from_stream' on line 550 via direct flow. This creates a sql_injection vulnerability.
return extract_output_from_stream(response) except Exception as e: return f"Error stopping task: {e!s}"
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
Critical decision without oversight in 'delete_files'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:333
Function 'delete_files' on line 333 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return self.list_files(directory_path=directory_path, thread_id=thread_id) def delete_files( self, paths: List[str], thread_id: str = "default",
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'write_files'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:381
Function 'write_files' on line 381 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return self.delete_files(paths=paths, thread_id=thread_id) def write_files( self, files: List[Dict[str, str]], thread_id: str = "default",
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-vectara/llama_index/indices/managed/vectara/retriever.py:718
User input parameter 'query_bundle' is directly passed to LLM API call 'self.generate_retrieval_spec'. This is a high-confidence prompt injection vector.
) -> Tuple[List[NodeWithScore], str]: spec = self.generate_retrieval_spec(query_bundle) vectara_retriever, new_query = self._build_retriever_from_spec(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-vectara/llama_index/indices/managed/vectara/retriever.py:713
Function '_vectara_query' on line 713 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _vectara_query( self, query_bundle: QueryBundle, **kwargs: Any, ) -> Tuple[List[NodeWithScore], str]: spec = self.generate_retrieval_spec(query_bundle) vectara_retriever, new_query = self._build_retriever_from_spec( VectorStoreQuerySpec( query=spec.query, filters=spec.filters, top_k=self._similarity_top_k ) )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Unsafe data loading with pickle.load in training context
LLM03: Training Data Poisoning CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-bge-m3/llama_index/indices/managed/bge_m3/base.py:157
Function 'load_from_disk' uses pickle.load on line 157. Pickle-based deserialization can execute arbitrary code, allowing attackers to inject malicious code through poisoned training data or models.
index._docs_pos_to_node_id = docs_pos_to_node_id index._multi_embed_store = pickle.load( open(Path(persist_dir) / "multi_embed_store.pkl", "rb") )
Remediation
Secure Data Loading: 1. Use safetensors instead of pickle for model weights 2. For torch.load, use weights_only=True 3. Verify checksums/signatures before loading 4. Only load data from trusted, verified sources 5. Implement content scanning before deserialization 6. Consider using JSON/YAML for configuration data
Use of pickle for serialization
LLM05: Supply Chain Vulnerabilities INFO
/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-bge-m3/llama_index/indices/managed/bge_m3/base.py:3
Import of 'pickle' on line 3. This library can execute arbitrary code during deserialization. (Advisory: safe if only used with trusted local data.)
import pickle
Remediation
Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-llama-cloud/llama_index/indices/managed/llama_cloud/retriever.py:147
Function '_retrieve' on line 147 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: """Retrieve from the platform.""" search_filters_inference_schema = OMIT if self._search_filters_inference_schema is not None: search_filters_inference_schema = ( self._search_filters_inference_schema.model_json_schema() ) results = self._client.pipelines.run_search( query=query_bundle.query_str, pipeline_id=self.pipeline.id, dense_similarity_top_k=self._dense_similarity_top_k,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Insecure tool function 'run_ingestion' executes dangerous operations
LLM07: Insecure Plugin Design HIGH
/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-dashscope/llama_index/indices/managed/dashscope/utils.py:31
Tool function 'run_ingestion' on line 31 takes LLM output as a parameter and performs dangerous operations (http_request) without proper validation. Attackers can craft malicious LLM outputs to execute arbitrary commands, access files, or perform SQL injection.
response_dict = get(base_url, headers, params) return response_dict.get("id", "") def run_ingestion(request_url: str, headers: dict, verbose: bool = False): ingestion_status = "" failed_docs = [] while True: response = requests.get(
Remediation
Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations
User input 'ref_doc_id' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:176
User input parameter 'ref_doc_id' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
def delete(self, ref_doc_id: str, **delete_kwargs: Any) -> None: return asyncio.get_event_loop().run_until_complete( self.adelete(ref_doc_id, **delete_kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:217
User input parameter 'query' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
def query(self, query: VectorStoreQuery, **kwargs: Any) -> VectorStoreQueryResult: return asyncio.get_event_loop().run_until_complete(self.aquery(query, **kwargs))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:216
Function 'query' on line 216 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query(self, query: VectorStoreQuery, **kwargs: Any) -> VectorStoreQueryResult: return asyncio.get_event_loop().run_until_complete(self.aquery(query, **kwargs)) async def aquery( self, query: VectorStoreQuery, **kwargs: Any ) -> VectorStoreQueryResult: filters = MetadataFiltersToFilters.metadata_filters_to_filters( query.filters if query.filters else [] ) if query.query_str: request = VectorSearchQueryRequest(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'delete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:175
Function 'delete' on line 175 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return [node.node_id for node in nodes] def delete(self, ref_doc_id: str, **delete_kwargs: Any) -> None: return asyncio.get_event_loop().run_until_complete( self.adelete(ref_doc_id, **delete_kwargs) )
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'delete_nodes'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:183
Function 'delete_nodes' on line 183 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
await self.adelete_nodes([ref_doc_id], **delete_kwargs) def delete_nodes( self, node_ids: Optional[List[str]] = None, filters: Optional[MetadataFilters] = None,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-moorcheh/llama_index/vector_stores/moorcheh/base.py:310
Function 'query' on line 310 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query(self, query: VectorStoreQuery, **kwargs: Any) -> VectorStoreQueryResult: """ Query Moorcheh vector store. Args: query (VectorStoreQuery): query object Returns: VectorStoreQueryResult: query result """
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-moorcheh/llama_index/vector_stores/moorcheh/base.py:423
Function 'get_generative_answer' on line 423 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get_generative_answer( self, query: str, top_k: int = 5, ai_model: str = "anthropic.claude-3-7-sonnet-20250219-v1:0", llm: Optional[LLM] = None, **kwargs: Any, ) -> str: """ Get a generative AI answer using Moorcheh's built-in RAG capability.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-moorcheh/llama_index/vector_stores/moorcheh/base.py:310
Function 'query' on line 310 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
raise def query(self, query: VectorStoreQuery, **kwargs: Any) -> VectorStoreQueryResult: """ Query Moorcheh vector store.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Use of pickle for serialization
LLM05: Supply Chain Vulnerabilities MEDIUM
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-txtai/llama_index/vector_stores/txtai/base.py:11
Import of 'pickle' on line 11. This library can execute arbitrary code during deserialization. (Advisory: safe if only used with trusted local data.)
import pickle
Remediation
Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-solr/llama_index/vector_stores/solr/base.py:839
LLM output from 'asyncio.run' is used in 'run(' on line 839 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
# No running loop: create a temporary loop and close cleanly asyncio.run(self.async_client.close()) else: # Running loop: schedule async close (not awaited)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azureaisearch/llama_index/vector_stores/azureaisearch/base.py:852
LLM output from 'asyncio.run' is used in 'run(' on line 852 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
# No running loop: create a temporary loop and close cleanly asyncio.run(self._async_search_client.close()) else: # Running loop: schedule async close (not awaited)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azurepostgresql/llama_index/vector_stores/azure_postgres/common/_shared.py:92
LLM output from 'new_loop.run_until_complete' is used in 'run(' on line 92 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: return new_loop.run_until_complete(coroutine) finally: new_loop.close()
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azurepostgresql/llama_index/vector_stores/azure_postgres/common/_shared.py:99
LLM output from 'asyncio.run' is used in 'run(' on line 99 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
except RuntimeError: result = asyncio.run(coroutine) else: if threading.current_thread() is threading.main_thread():
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azurepostgresql/llama_index/vector_stores/azure_postgres/common/_shared.py:103
LLM output from 'loop.run_until_complete' is used in 'run(' on line 103 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if not loop.is_running(): result = loop.run_until_complete(coroutine) else: with ThreadPoolExecutor() as pool:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:158
LLM output from 'self.run' is used in 'run(' on line 158 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
) self.run(q) def query(self, query: VectorStoreQuery, **kwargs: Any) -> VectorStoreQueryResult:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:218
LLM output from 'self.run' is used in 'run(' on line 218 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
q += self._sanitize_input(metadata_fields) + ")" self.run(q) def add_text(
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:258
LLM output from 'self.run' is used in 'run(' on line 258 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
q = "textcol " + podstorevcol js = self.run(q) if js == "": return ""
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:272
LLM output from 'self.run' is used in 'run(' on line 272 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
q += "','" + text + "')" js = self.run(q, False) zid = js["zid"] else:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:300
LLM output from 'self.run' is used in 'run(' on line 300 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if filecol != "": js = self.run(q, True) else: js = self.run(q, False)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:302
LLM output from 'self.run' is used in 'run(' on line 302 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
else: js = self.run(q, False) zid = js["zid"]
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:365
LLM output from 'self.run' is used in 'run(' on line 365 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
jarr = self.run(q) if jarr is None:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:482
LLM output from 'self.run' is used in 'run(' on line 482 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
q = "truncate store " + podstore self.run(q) def drop(self) -> None:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:493
LLM output from 'self.run' is used in 'run(' on line 493 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
q = "drop store " + podstore self.run(q) def prt(self, msg: str) -> None:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Critical decision without oversight in 'delete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:142
Function 'delete' on line 142 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return ids def delete(self, ref_doc_id: str, **delete_kwargs: Any) -> None: """ Delete nodes using with ref_doc_id.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'add_text'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:220
Function 'add_text' on line 220 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self.run(q) def add_text( self, text: str, embedding: List[float],
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'drop'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:484
Function 'drop' on line 484 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self.run(q) def drop(self) -> None: """ Drop or remove a store in jaguardb.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-baiduvectordb/llama_index/vector_stores/baiduvectordb/base.py:577
User input parameter 'query' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
""" return asyncio.get_event_loop().run_until_complete(self.aquery(query, **kwargs))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-baiduvectordb/llama_index/vector_stores/baiduvectordb/base.py:563
Function 'query' on line 563 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query(self, query: VectorStoreQuery, **kwargs: Any) -> VectorStoreQueryResult: """ Query index for top k most similar nodes. Args: query (VectorStoreQuery): contains query_embedding (List[float]): query embedding similarity_top_k (int): top k most similar nodes filters (Optional[MetadataFilters]): filter result Returns:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'clear'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-baiduvectordb/llama_index/vector_stores/baiduvectordb/base.py:394
Function 'clear' on line 394 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return self._vdb_client def clear(self) -> None: """ Clear all nodes from Baidu VectorDB table. This method deletes the table.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:481
User input parameter 'query' is directly passed to LLM API call 'session.run'. This is a high-confidence prompt injection vector.
with self._driver.session(database=self._database) as session: data = session.run(neo4j.Query(text=query), params) return [r.data() for r in data]
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:481
LLM output from 'session.run' is used in 'run(' on line 481 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
with self._driver.session(database=self._database) as session: data = session.run(neo4j.Query(text=query), params) return [r.data() for r in data]
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:449
Function 'database_query' on line 449 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def database_query( self, query: str, params: Optional[Dict[str, Any]] = None, ) -> Any: params = params or {} try: data, _, _ = self._driver.execute_query( query, database_=self._database, parameters_=params ) return [r.data() for r in data]
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'database_query'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:449
Function 'database_query' on line 449 makes critical financial decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
self.database_query(fts_index_query) def database_query( self, query: str, params: Optional[Dict[str, Any]] = None,
Remediation
Critical financial decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-mysql/llama_index/vector_stores/alibabacloud_mysql/base.py:796
LLM output from 'asyncio.run' is used in 'run(' on line 796 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if not loop.is_running(): asyncio.run(self._async_engine.dispose()) else: # If already in a running loop, create a new thread to run the disposal
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-mysql/llama_index/vector_stores/alibabacloud_mysql/base.py:808
LLM output from 'asyncio.run' is used in 'run(' on line 808 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
# If no event loop exists, create one asyncio.run(self._async_engine.dispose()) self._is_initialized = False
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
User input 'ref_doc_id' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:285
User input parameter 'ref_doc_id' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
""" return asyncio.get_event_loop().run_until_complete( self.adelete(ref_doc_id, **delete_kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:334
User input parameter 'query' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
"""Query vector store.""" return asyncio.get_event_loop().run_until_complete(self.aquery(query, **kwargs))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:328
Function 'query' on line 328 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query( self, query: VectorStoreQuery, **kwargs: Any, ) -> VectorStoreQueryResult: """Query vector store.""" return asyncio.get_event_loop().run_until_complete(self.aquery(query, **kwargs)) async def aquery( self, query: VectorStoreQuery, **kwargs: Any ) -> VectorStoreQueryResult:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'delete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:277
Function 'delete' on line 277 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return [node.node_id for node in nodes] def delete(self, ref_doc_id: str, **delete_kwargs: Any) -> None: """ Delete nodes using with ref_doc_id.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'ref_doc_id' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:888
User input parameter 'ref_doc_id' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
""" asyncio.get_event_loop().run_until_complete( self.adelete(ref_doc_id, **delete_kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:911
User input parameter 'query' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
""" return asyncio.get_event_loop().run_until_complete(self.aquery(query, **kwargs))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:94
Function '__init__' on line 94 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def __init__( self, host: str, port: int, username: str, password: str, index: str, dimension: int, text_field: str = "content", max_chunk_bytes: int = 1 * 1024 * 1024, os_client: Optional[OSClient] = None,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:902
Function 'query' on line 902 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query(self, query: VectorStoreQuery, **kwargs: Any) -> VectorStoreQueryResult: """ Query index for top k most similar nodes. Synchronous wrapper,using asynchronous logic of async_add function in synchronous way. Args: query (VectorStoreQuery): Store query object. """ return asyncio.get_event_loop().run_until_complete(self.aquery(query, **kwargs))
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'delete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:879
Function 'delete' on line 879 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return [result.node_id for result in nodes] def delete(self, ref_doc_id: str, **delete_kwargs: Any) -> None: """ Delete nodes using a ref_doc_id. Synchronous wrapper,using asynchronous logic of async_add function in synchronous way.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'ref_doc_id' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:390
User input parameter 'ref_doc_id' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
""" return asyncio.get_event_loop().run_until_complete( self.adelete(ref_doc_id, **delete_kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:497
User input parameter 'query' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
""" return asyncio.get_event_loop().run_until_complete( self.aquery(query, custom_query, es_filter, **kwargs)
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:466
Function 'query' on line 466 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def query( self, query: VectorStoreQuery, custom_query: Optional[ Callable[[Dict, Union[VectorStoreQuery, None]], Dict] ] = None, es_filter: Optional[List[Dict]] = None, metadata_keyword_suffix: str = ".keyword", **kwargs: Any, ) -> VectorStoreQueryResult: """
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'delete'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:377
Function 'delete' on line 377 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def delete(self, ref_doc_id: str, **delete_kwargs: Any) -> None: """ Delete node from Elasticsearch index.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'delete_nodes'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:411
Function 'delete_nodes' on line 411 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def delete_nodes( self, node_ids: Optional[List[str]] = None, filters: Optional[MetadataFilters] = None,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'clear'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:631
Function 'clear' on line 631 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return nodes def clear(self) -> None: """ Clear all nodes from Elasticsearch index. This method deletes and recreates the index.
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'add'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-pinecone/llama_index/vector_stores/pinecone/base.py:294
Function 'add' on line 294 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return "PinconeVectorStore" def add( self, nodes: List[BaseNode], **add_kwargs: Any,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-integrations/sparse_embeddings/llama-index-sparse-embeddings-fastembed/llama_index/sparse_embeddings/fastembed/base.py:114
Function '_get_query_embedding' on line 114 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _get_query_embedding(self, query: str) -> SparseEmbedding: results = self._model.query_embed(query) return self._fastembed_to_dict(results)[0] async def _aget_query_embedding(self, query: str) -> SparseEmbedding: return self._get_query_embedding(query)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/embeddings/adapter.py:119
Function 'smart_batching_collate' on line 119 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def smart_batching_collate(self, batch: List) -> Tuple[Any, Any]: """Smart batching collate.""" import torch from torch import Tensor query_embeddings: List[Tensor] = [] text_embeddings: List[Tensor] = [] for query, text in batch: query_embedding = self.embed_model.get_query_embedding(query) text_embedding = self.embed_model.get_text_embedding(text)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/embeddings/adapter_utils.py:51
Function 'train_model' on line 51 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def train_model( model: BaseAdapter, data_loader: torch.utils.data.DataLoader, device: torch.device, epochs: int = 1, steps_per_epoch: Optional[int] = None, warmup_steps: int = 10000, optimizer_class: Type[Optimizer] = torch.optim.AdamW, optimizer_params: Dict[str, Any] = {"lr": 2e-5}, output_path: str = "model_output", max_grad_norm: float = 1,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/embeddings/common.py:103
Function 'generate_qa_embedding_pairs' on line 103 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def generate_qa_embedding_pairs( nodes: List[TextNode], llm: LLM, qa_generate_prompt_tmpl: str = DEFAULT_QA_GENERATE_PROMPT_TMPL, num_questions_per_chunk: int = 2, retry_limit: int = 3, on_failure: str = "continue", # options are "fail" or "continue" save_every: int = 500, output_path: str = "qa_finetune_dataset.json", verbose: bool = True, ) -> EmbeddingQAFinetuneDataset:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/mistralai/base.py:76
Function 'finetune' on line 76 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def finetune(self) -> None: """Finetune model.""" if self._validate_json: if self.training_path: reformat_jsonl(self.training_path) if self.validation_path: reformat_jsonl(self.validation_path) # upload file with open(self.training_path, "rb") as f: train_file = self._client.files.upload(file=f)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/azure_openai/base.py:118
Function 'get_finetuned_model' on line 118 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def get_finetuned_model(self, engine: str, **model_kwargs: Any) -> LLM: """ Get finetuned model. - engine: This will correspond to the custom name you chose for your deployment when you deployed a model. """ current_job = self.get_current_job() return AzureOpenAI( engine=engine or current_job.fine_tuned_model, **model_kwargs
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/cross_encoders/dataset_gen.py:121
Function 'generate_ce_fine_tuning_dataset' on line 121 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def generate_ce_fine_tuning_dataset( documents: List[Document], questions_list: List[str], max_chunk_length: int = 1000, llm: Optional[LLM] = None, qa_doc_relevance_prompt: str = DEFAULT_QUERY_DOC_RELEVANCE_PROMPT, top_k: int = 8, ) -> List[CrossEncoderFinetuningDatasetSample]: ce_dataset_list = [] node_parser = TokenTextSplitter(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'generate_synthetic_queries_over_documents'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/cross_encoders/dataset_gen.py:35
Function 'generate_synthetic_queries_over_documents' on line 35 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
def generate_synthetic_queries_over_documents( documents: List[Document], num_questions_per_chunk: int = 5, max_chunk_length: int = 3000,
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model artifacts exposed without protection in 'push_to_hub'
LLM10: Model Theft HIGH
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/cross_encoders/cross_encoder.py:103
Function 'push_to_hub' on line 103 exposes huggingface model artifacts without proper access control. This allows unauthorized users to download the full model, stealing intellectual property and training data.
pass def push_to_hub(self, repo_id: Any = None) -> None: """ Saves the model and tokenizer to HuggingFace hub. """
Remediation
Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/openai/base.py:60
Function 'finetune' on line 60 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def finetune(self) -> None: """Finetune model.""" if self._validate_json: validate_json(self.data_path) # TODO: figure out how to specify file name in the new API # file_name = os.path.basename(self.data_path) # upload file with open(self.data_path, "rb") as f: output = self._client.files.create(file=f, purpose="fine-tune")
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'website_url' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-amazon-product-extraction/llama_index/packs/amazon_product_extraction/base.py:68
User input parameter 'website_url' is directly passed to LLM API call 'asyncio.get_event_loop().run_until_complete'. This is a high-confidence prompt injection vector.
# download image to temporary file asyncio.get_event_loop().run_until_complete( _screenshot_page(
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Use of pickle for serialization
LLM05: Supply Chain Vulnerabilities INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-recursive-retriever/llama_index/packs/recursive_retriever/embedded_tables_unstructured/base.py:4
Import of 'pickle' on line 4. This library can execute arbitrary code during deserialization. (Advisory: safe if only used with trusted local data.)
import pickle
Remediation
Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-koda-retriever/llama_index/packs/koda_retriever/base.py:125
User input 'query' flows to LLM call via format_call in variable 'prompt'. Function 'categorize' may be vulnerable to prompt injection attacks.
prompt = CATEGORIZER_PROMPT.format( question=query, category_info=self.matrix.get_all_category_info() ) response = str(self.llm.complete(prompt)) # type: ignore
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
User input 'query' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:393
User input parameter 'query' is directly passed to LLM API call 'self._wf.run'. This is a high-confidence prompt injection vector.
"""Runs pipeline.""" return asyncio_run(self._wf.run(query_str=query))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:366
LLM output from 'self._wf.run' is used in 'run(' on line 366 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
result = asyncio_run( self._wf.run( data_dir=self._data_dir, llm=self._llm,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:393
LLM output from 'self._wf.run' is used in 'run(' on line 393 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Runs pipeline.""" return asyncio_run(self._wf.run(query_str=query))
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:391
Function 'run' on line 391 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run(self, query: str, *args: t.Any, **kwargs: t.Any) -> t.Any: """Runs pipeline.""" return asyncio_run(self._wf.run(query_str=query))
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-diff-private-simple-dataset/llama_index/packs/diff_private_simple_dataset/base.py:311
LLM output from 'asyncio.run' is used in 'run(' on line 311 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Generates a differentially private synthetic example.""" return asyncio.run( self.agenerate_dp_synthetic_example( label=label,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-diff-private-simple-dataset/llama_index/packs/diff_private_simple_dataset/base.py:411
Function 'run' on line 411 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run( self, sizes: Union[int, Dict[str, int]], t_max: int = 1, sigma: float = 0.5, num_splits: int = 5, num_samples_per_split: int = 1, ) -> LabelledSimpleDataset: """Main run method.""" if num_samples_per_split < 1: raise ValueError(
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'generate_instructions_gen'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-raft-dataset/llama_index/packs/raft_dataset/base.py:98
Function 'generate_instructions_gen' on line 98 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return str(response) def generate_instructions_gen(self, chunk, x=5) -> List[str]: """ Generates `x` questions / use cases for `chunk`. Used when the input document is of general types `pdf`, `json`, or `txt`.
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'add_chunk_to_dataset'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-raft-dataset/llama_index/packs/raft_dataset/base.py:140
Function 'add_chunk_to_dataset' on line 140 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return [node.get_content() for node in nodes] def add_chunk_to_dataset( self, chunks: List, chunk: str,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:278
Function 'chat' on line 278 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def chat( self, message: str, chat_history: Optional[List[ChatMessage]] = None ) -> AgentCitationsChatResponse: if chat_history is not None: self._memory.set(chat_history) self._memory.put(ChatMessage(content=message, role="user")) context_str_template, nodes = self._generate_context(message) prefix_messages = self._get_prefix_messages_with_context(context_str_template) all_messages = self._memory.get_all()
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:321
Function 'stream_chat' on line 321 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def stream_chat( self, message: str, chat_history: Optional[List[ChatMessage]] = None ) -> StreamingAgentCitationsChatResponse: if chat_history is not None: self._memory.set(chat_history) self._memory.put(ChatMessage(content=message, role="user")) context_str_template, nodes = self._generate_context(message) prefix_messages = self._get_prefix_messages_with_context(context_str_template) all_messages = self._memory.get_all() documents_list = convert_nodes_to_documents_list(nodes)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:278
Function 'chat' on line 278 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@trace_method("chat") def chat( self, message: str, chat_history: Optional[List[ChatMessage]] = None ) -> AgentCitationsChatResponse: if chat_history is not None:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'stream_chat'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:321
Function 'stream_chat' on line 321 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
@trace_method("chat") def stream_chat( self, message: str, chat_history: Optional[List[ChatMessage]] = None ) -> StreamingAgentCitationsChatResponse: if chat_history is not None:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-dense-x-retrieval/llama_index/packs/dense_x_retrieval/base.py:158
LLM output from 'asyncio.run' is used in 'run(' on line 158 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Get propositions.""" sub_nodes = asyncio.run( run_jobs( [self._aget_proposition(node) for node in nodes],
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-streamlit-chatbot/llama_index/packs/streamlit_chatbot/base.py:41
LLM output from 'st.chat_input' is used in 'run(' on line 41 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
def run(self, *args: Any, **kwargs: Any) -> Any: """Run the pipeline.""" import streamlit as st
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-streamlit-chatbot/llama_index/packs/streamlit_chatbot/base.py:41
Function 'run' on line 41 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run(self, *args: Any, **kwargs: Any) -> Any: """Run the pipeline.""" import streamlit as st from streamlit_pills import pills st.set_page_config( page_title=f"Chat with {self.wikipedia_page}'s Wikipedia page, powered by LlamaIndex", page_icon="🦙", layout="centered", initial_sidebar_state="auto", menu_items=None,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in 'run'
LLM09: Overreliance HIGH
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-streamlit-chatbot/llama_index/packs/streamlit_chatbot/base.py:41
Function 'run' on line 41 makes critical security decisions based on LLM output without human oversight or verification. Action edges detected (HTTP/file/DB/subprocess) - risk of automated execution.
return {} def run(self, *args: Any, **kwargs: Any) -> Any: """Run the pipeline.""" import streamlit as st from streamlit_pills import pills
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output flows to sql_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-multi-tenancy-rag/llama_index/packs/multi_tenancy_rag/base.py:38
LLM output variable 'nodes' flows to 'self.index.insert_nodes' on line 38 via direct flow. This creates a sql_injection vulnerability.
# Insert nodes into the index self.index.insert_nodes(nodes) def run(self, query_str: str, user: Any, **kwargs: Any) -> Any:
Remediation
Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-multi-tenancy-rag/llama_index/packs/multi_tenancy_rag/base.py:25
Function 'add' on line 25 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def add(self, documents: List[Document], user: Any) -> None: """Insert Documents of a user into index.""" # Add metadata to documents for document in documents: document.metadata["user"] = user # Create Nodes using IngestionPipeline pipeline = IngestionPipeline( transformations=[ SentenceSplitter(chunk_size=512, chunk_overlap=20), ] )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Use of pickle for serialization
LLM05: Supply Chain Vulnerabilities INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-panel-chatbot/llama_index/packs/panel_chatbot/app.py:4
Import of 'pickle' on line 4. This library can execute arbitrary code during deserialization. (Advisory: safe if only used with trusted local data.)
import pickle
Remediation
Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-raptor/llama_index/packs/raptor/base.py:141
LLM output from 'asyncio.run' is used in 'run(' on line 141 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
if len(documents) > 0: asyncio.run(self.insert(documents)) def _get_embeddings_per_level(self, level: int = 0) -> List[float]:
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-self-discover/llama_index/packs/self_discover/base.py:197
LLM output from 'self.workflow.run' is used in 'run(' on line 197 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Runs the configured pipeline for a specified task and reasoning modules.""" return asyncio_run(self.workflow.run(task=task, llm=self.llm))
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llama-guard-moderator/llama_index/packs/llama_guard_moderator/base.py:99
Function 'run' on line 99 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run(self, message: str, **kwargs: Any) -> Any: """Run the pipeline.""" # tailored for query engine input/output, using "user" role chat = [{"role": "user", "content": message}] prompt = self._moderation_prompt_for_chat(chat) inputs = self.tokenizer([prompt], return_tensors="pt").to(self.device) output = self.model.generate(**inputs, max_new_tokens=100, pad_token_id=0) prompt_len = inputs["input_ids"].shape[-1] return self.tokenizer.decode(output[0][prompt_len:], skip_special_tokens=True)
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Critical decision without oversight in '__init__'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llama-guard-moderator/llama_index/packs/llama_guard_moderator/base.py:56
Function '__init__' on line 56 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
class LlamaGuardModeratorPack(BaseLlamaPack): def __init__( self, custom_taxonomy: str = DEFAULT_TAXONOMY, ) -> None:
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'run'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llama-guard-moderator/llama_index/packs/llama_guard_moderator/base.py:99
Function 'run' on line 99 makes critical security decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
} def run(self, message: str, **kwargs: Any) -> Any: """Run the pipeline.""" # tailored for query engine input/output, using "user" role chat = [{"role": "user", "content": message}]
Remediation
Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
User input 'query_str' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-mixture-of-agents/llama_index/packs/mixture_of_agents/base.py:182
User input parameter 'query_str' is directly passed to LLM API call 'self._wf.run'. This is a high-confidence prompt injection vector.
"""Run the pipeline.""" return asyncio_run(self._wf.run(query_str=query_str))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-mixture-of-agents/llama_index/packs/mixture_of_agents/base.py:182
LLM output from 'self._wf.run' is used in 'run(' on line 182 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Run the pipeline.""" return asyncio_run(self._wf.run(query_str=query_str))
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-mixture-of-agents/llama_index/packs/mixture_of_agents/base.py:180
Function 'run' on line 180 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def run(self, query_str: str, **kwargs: Any) -> Any: """Run the pipeline.""" return asyncio_run(self._wf.run(query_str=query_str))
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
LLM output used in dangerous code_execution sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:70
LLM output from 'self.dprmodel.eval' is used in 'eval(' on line 70 without sanitization. This creates a code_execution vulnerability where malicious LLM output can compromise application security.
self.dprmodel = DPRReader.from_pretrained(dprmodel_path) self.dprmodel.eval() self.dprmodel.to(self.device)
Remediation
Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required 4. Use allowlists for permitted operations 5. Consider structured output formats (JSON) instead
LLM output used in dangerous code_execution sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:71
LLM output from 'self.dprmodel.to' is used in 'eval(' on line 71 without sanitization. This creates a code_execution vulnerability where malicious LLM output can compromise application security.
self.dprmodel.eval() self.dprmodel.to(self.device) def _get_answer(self, query, texts, title):
Remediation
Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required 4. Use allowlists for permitted operations 5. Consider structured output formats (JSON) instead
Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:38
Function '_have_seen_or_not' on line 38 has 5 DoS risk(s): LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _have_seen_or_not(model_cross_encoder, query_item, query_seen_list, query_type): if "Unsolved" in query_type: return False for query_seen in query_seen_list: with torch.no_grad(): if model_cross_encoder.predict([(query_seen, query_item)]) > 0.5: return True return False class SearChainPack(BaseLlamaPack):
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:165
Function 'execute' on line 165 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def execute(self, data_path, start_idx): data = open(data_path) for k, example in enumerate(data): if k < start_idx: continue example = json.loads(example) q = example["question"] round_count = 0 message_keys_list = [ ChatMessage( role="user",
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Direct execution of LLM-generated code in '__init__'
LLM08: Excessive Agency CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:51
Function '__init__' on line 51 directly executes code generated or influenced by an LLM using exec()/eval() or subprocess. This creates a critical security risk where malicious or buggy LLM outputs can execute arbitrary code, potentially compromising the entire system.
class SearChainPack(BaseLlamaPack): """Simple short form SearChain pack.""" def __init__( self, data_path: str, dprtokenizer_path: str = "facebook/dpr-reader-multiset-base", # download from https://huggingface.co/facebook/dpr-reader-multiset-base, dprmodel_path: str = "facebook/dpr-reader-multiset-base", # download from https://huggingface.co/facebook/dpr-reader-multiset-base, crossencoder_name_or_path: str = "microsoft/MiniLM-L12-H384-uncased", # down load from https://huggingface.co/microsoft/MiniLM-L12-H384-uncased,
Remediation
Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution
Direct execution of LLM output in '__init__'
LLM09: Overreliance CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:51
Function '__init__' on line 51 directly executes LLM-generated code using eval(. This is extremely dangerous and allows arbitrary code execution.
"""Simple short form SearChain pack.""" def __init__( self, data_path: str, dprtokenizer_path: str = "facebook/dpr-reader-multiset-base", # download from https://huggingface.co/facebook/dpr-reader-multiset-base,
Remediation
NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring
Critical decision without oversight in 'execute'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:165
Function 'execute' on line 165 makes critical security, data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
return "Sorry, I still cannot solve this question!" def execute(self, data_path, start_idx): data = open(data_path) for k, example in enumerate(data): if k < start_idx:
Remediation
Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llava-completion/llama_index/packs/llava_completion/base.py:39
LLM output from 'self.llm.complete' is used in 'run(' on line 39 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Run the pipeline.""" return self.llm.complete(*args, **kwargs)
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-instrumentation/src/llama_index_instrumentation/dispatcher.py:325
LLM output from 'context.run' is used in 'run(' on line 325 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
try: context.run(active_span_id.reset, token) except ValueError as e: # TODO: Since the context is created in a sync context no in async task,
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Critical decision without oversight in 'span'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-instrumentation/src/llama_index_instrumentation/dispatcher.py:264
Function 'span' on line 264 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
c = c.parent def span(self, func: Callable[..., _R]) -> Callable[..., _R]: # The `span` decorator should be idempotent. try: if hasattr(func, DISPATCHER_SPAN_DECORATED_ATTR):
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
Critical decision without oversight in 'handle_future_result'
LLM09: Overreliance INFO
/private/tmp/llamaindex-test/llama-index-instrumentation/src/llama_index_instrumentation/dispatcher.py:300
Function 'handle_future_result' on line 300 makes critical data_modification decisions based on LLM output without human oversight or verification. No action edges detected - advisory only.
) def handle_future_result( future: asyncio.Future, span_id: str, bound_args: inspect.BoundArguments,
Remediation
Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/param_tuner/base.py:204
LLM output from 'asyncio.run' is used in 'run(' on line 204 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
"""Run tuning.""" return asyncio.run(self.atune())
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/nudge/base.py:64
Function '_format_dataset' on line 64 has 4 DoS risk(s): LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _format_dataset( self, dataset: EmbeddingQAFinetuneDataset, corpus: Dict[str, str] ): """ Convert the dataset into NUDGE format. Args: dataset (EmbeddingQAFinetuneDataset): Dataset to convert. """ try:
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'prompt' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/jsonalyze_query_engine.py:102
User input parameter 'prompt' is directly passed to LLM API call 'llm.predict'. This is a high-confidence prompt injection vector.
# Get the SQL query with text-to-SQL prompt response_str = llm.predict( prompt=prompt,
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/jsonalyze_query_engine.py:54
Function 'default_jsonalyzer' on line 54 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def default_jsonalyzer( list_of_dict: List[Dict[str, Any]], query_bundle: QueryBundle, llm: LLM, table_name: str = DEFAULT_TABLE_NAME, prompt: BasePromptTemplate = DEFAULT_JSONALYZE_PROMPT, sql_parser: BaseSQLParser = DefaultSQLParser(), ) -> Tuple[str, Dict[str, Any], List[Dict[str, Any]]]: """ Default JSONalyzer that executes a query on a list of dictionaries.
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/jsonalyze_query_engine.py:287
Function '_query' on line 287 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query(self, query_bundle: QueryBundle) -> Response: """Answer an analytical query on the JSON List.""" query = query_bundle.query_str if self._verbose: print_text(f"Query: {query}\n", color="green") # Perform the analysis sql_query, table_schema, results = self._analyzer( self._list_of_dict, query_bundle, self._llm,
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/polars/polars_query_engine.py:160
Function '_query' on line 160 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query(self, query_bundle: QueryBundle) -> Response: """Answer a query.""" context = self._get_table_context() polars_response_str = self._llm.predict( self._polars_prompt, df_str=context, query_str=query_bundle.query_str, instruction_str=self._instruction_str, )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/pandas/pandas_query_engine.py:177
Function '_query' on line 177 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _query(self, query_bundle: QueryBundle) -> Response: """Answer a query.""" context = self._get_table_context() pandas_response_str = self._llm.predict( self._pandas_prompt, df_str=context, query_str=query_bundle.query_str, instruction_str=self._instruction_str, )
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
User input 'query_bundle' embedded in LLM prompt
LLM01: Prompt Injection CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/retrievers/natural_language/nl_data_frame_retriever.py:217
User input parameter 'query_bundle' is directly passed to LLM API call 'asyncio.run'. This is a high-confidence prompt injection vector.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: return asyncio.run(self._aretrieve(query_bundle))
Remediation
Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries
LLM output used in dangerous command_injection sink
LLM02: Insecure Output Handling CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/retrievers/natural_language/nl_data_frame_retriever.py:217
LLM output from 'asyncio.run' is used in 'run(' on line 217 without sanitization. This creates a command_injection vulnerability where malicious LLM output can compromise application security.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: return asyncio.run(self._aretrieve(query_bundle))
Remediation
Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell
Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits
LLM04: Model Denial of Service CRITICAL
/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/retrievers/natural_language/nl_data_frame_retriever.py:216
Function '_retrieve' on line 216 has 4 DoS risk(s): No rate limiting, No input length validation, No timeout configuration, No token/context limits. These missing protections enable attackers to exhaust model resources through excessive requests, large inputs, or recursive calls, leading to service degradation or unavailability.
def _retrieve(self, query_bundle: QueryBundle) -> List[NodeWithScore]: return asyncio.run(self._aretrieve(query_bundle))
Remediation
Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets
29
Overall Score
Developing
31
Controls Detected
of 61
5914
Files Analyzed
695
Total Recommendations

Category Scores

Prompt Security
34/100
  • Prompt Sanitization Advanced
  • Rate Limiting Missing
  • Input Validation Advanced
  • Output Filtering Advanced
  • Context Window Protection Missing
  • Red Team Testing Missing
  • Prompt Anomaly Detection Intermediate
  • System Prompt Protection Missing
4 Detected 0 Partial 4 Missing
Model Security
31/100
  • Access Control Missing
  • Model Versioning Missing
  • Dependency Scanning Partial
  • API Security Missing
  • Model Source Verification Advanced
  • Differential Privacy Advanced
  • Model Watermarking Missing
  • Secure Model Loading Advanced
3 Detected 1 Partial 4 Missing
Data Privacy
47/100
  • PII Detection Advanced
  • Data Redaction Advanced
  • Data Encryption Advanced
  • Audit Logging Advanced
  • Consent Management Missing
  • NER PII Detection Advanced
  • Data Retention Policy Missing
  • GDPR Compliance Missing
5 Detected 0 Partial 3 Missing
OWASP LLM Top 10
48/100
  • LLM01: Prompt Injection Defense Advanced
  • LLM02: Insecure Output Handling Advanced
  • LLM03: Training Data Poisoning Missing
  • LLM04: Model Denial of Service Missing
  • LLM05: Supply Chain Vulnerabilities Intermediate
  • LLM06: Sensitive Information Disclosure Advanced
  • LLM07: Insecure Plugin Design Advanced
  • LLM08: Excessive Agency Intermediate
  • LLM09: Overreliance Advanced
  • LLM10: Model Theft Missing
7 Detected 0 Partial 3 Missing
Blue Team Operations
21/100
  • Model Monitoring Advanced
  • Drift Detection Missing
  • Anomaly Detection Missing
  • Adversarial Attack Detection Missing
  • AI Incident Response Missing
  • Model Drift Monitoring Missing
  • Data Quality Monitoring Advanced
2 Detected 0 Partial 5 Missing
AI Governance
15/100
  • Model Explainability Intermediate
  • Bias Detection Partial
  • Model Documentation Missing
  • Compliance Tracking Missing
  • Human Oversight Missing
1 Detected 1 Partial 3 Missing
Supply Chain Security
42/100
  • Dependency Scanning Missing
  • Model Provenance Tracking Intermediate
  • Model Integrity Verification Advanced
2 Detected 0 Partial 1 Missing
Hallucination Mitigation
45/100
  • RAG Implementation Advanced
  • Confidence Scoring Missing
  • Source Attribution Advanced
  • Temperature Control Missing
  • Fact Checking Advanced
3 Detected 0 Partial 2 Missing
Ethical AI & Bias
25/100
  • Fairness Metrics Intermediate
  • Model Explainability Intermediate
  • Bias Testing Missing
  • Model Cards Missing
2 Detected 0 Partial 2 Missing
Incident Response
0/100
  • Monitoring Integration Missing
  • Audit Logging Missing
  • Rollback Capability Missing
0 Detected 0 Partial 3 Missing

All Recommendations (695)

Rate Limiting
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Context Window Protection
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Red Team Testing
Audit critical

Detection failed: 'ConfigAnalyzer' object has no attribute 'file_exists'

System Prompt Protection
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Access Control
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Model Versioning
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

API Security
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Model Watermarking
Audit critical

Implement watermarking for model outputs

Model Watermarking
Audit critical

Use cryptographic watermarks for model weights

Model Watermarking
Audit critical

Track watermark verification for model theft detection

Consent Management
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Data Retention Policy
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

GDPR Compliance
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

LLM03: Training Data Poisoning
Audit critical

Implement data validation pipelines

LLM03: Training Data Poisoning
Audit critical

Verify data source integrity

LLM03: Training Data Poisoning
Audit critical

Monitor for anomalies in training data

LLM04: Model Denial of Service
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

LLM10: Model Theft
Audit critical

Implement rate limiting on API endpoints

LLM10: Model Theft
Audit critical

Add query logging and anomaly detection

LLM10: Model Theft
Audit critical

Monitor for extraction patterns

Drift Detection
Audit critical

Implement drift detection with evidently or alibi-detect

Drift Detection
Audit critical

Monitor input data distribution changes

Drift Detection
Audit critical

Set up automated alerts for drift events

Anomaly Detection
Audit critical

Implement anomaly detection on model inputs

Anomaly Detection
Audit critical

Monitor for unusual query patterns

Anomaly Detection
Audit critical

Use statistical methods or ML-based detection

Adversarial Attack Detection
Audit critical

Implement adversarial input detection

Adversarial Attack Detection
Audit critical

Use adversarial robustness toolkits

Adversarial Attack Detection
Audit critical

Add input perturbation analysis

AI Incident Response
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Model Drift Monitoring
Audit critical

Use Evidently or alibi-detect for drift monitoring

Model Drift Monitoring
Audit critical

Set up automated alerts for significant drift

Model Drift Monitoring
Audit critical

Implement automatic retraining pipelines

Model Documentation
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Compliance Tracking
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Human Oversight
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Dependency Scanning
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Confidence Scoring
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Temperature Control
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Bias Testing
Audit critical

Implement adversarial testing for bias

Bias Testing
Audit critical

Test across demographic groups

Bias Testing
Audit critical

Use TextAttack or CheckList for NLP bias testing

Model Cards
Audit critical

Detection failed: 'ConfigAnalyzer' object has no attribute 'file_exists'

Monitoring Integration
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Audit Logging
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

Rollback Capability
Audit critical

Detection failed: 'bool' object has no attribute 'lower'

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-cli/llama_index/cli/rag/base.py:328
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:142
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:78
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:101
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:113
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Direct execution of LLM-generated code in 'get_changed_files'/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:136
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Critical decision without oversight in 'get_changed_files'/private/tmp/llamaindex-test/llama-dev/llama_dev/utils.py:136
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-dev/llama_dev/release/changelog.py:20
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Direct execution of LLM-generated code in '_run_command'/private/tmp/llamaindex-test/llama-dev/llama_dev/release/changelog.py:15
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Direct execution of LLM output in '_run_command'/private/tmp/llamaindex-test/llama-dev/llama_dev/release/changelog.py:15
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:61
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:53
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:35
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Direct execution of LLM-generated code in 'cmd_exec'/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:35
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Direct execution of LLM output in 'cmd_exec'/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/cmd_exec.py:35
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/bump.py:32
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/info.py:24
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:55
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:99
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:60
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/async_utils.py:46
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/fusion_retriever.py:83
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/transform_retriever.py:41
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/transform_retriever.py:41
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/retrievers/transform_retriever.py:40
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/ingestion/pipeline.py:159
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/ingestion/pipeline.py:160
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/utils.py:151
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/utils.py:187
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/tools/function_tool.py:49
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'message' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:208
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:216
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:205
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:214
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'message' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:130
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:139
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:117
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:127
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:137
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/node_recency.py:108
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/rankGPT_rerank.py:174
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/rankGPT_rerank.py:57
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/rankGPT_rerank.py:173
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/optimizer.py:98
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/llm_rerank.py:71
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/postprocessor/structured_llm_rerank.py:143
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/program/function_program.py:153
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

User input 'query_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/simple_summarize.py:82
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/generation.py:77
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:227
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:293
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:220
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/tree_summarize.py:141
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/tree_summarize.py:134
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'llama_dataset_id' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:90
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:90
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Direct execution of LLM-generated code in '_download_llama_dataset_from_hub'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:84
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Direct execution of LLM output in '_download_llama_dataset_from_hub'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/eval_utils.py:84
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_context.py:158
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'latest_message' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/condense_plus_context.py:183
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/condense_question.py:117
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/types.py:402
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'latest_message' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_condense_plus_context.py:141
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_condense_plus_context.py:237
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/question_gen/llm_generators.py:67
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/custom.py:34
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:53
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:74
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/function_calling.py:236
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/function_calling.py:35
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/mock.py:148
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:151
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:156
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:125
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/knowledge_graph_query_engine.py:149
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/sql_join_query_engine.py:147
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/sql_join_query_engine.py:250
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/multi_modal.py:111
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/retry_query_engine.py:140
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/retry_query_engine.py:70
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/retry_query_engine.py:140
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/sub_question_query_engine.py:151
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:47
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:58
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:84
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:47
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:58
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:84
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:46
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:52
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/transform_query_engine.py:82
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/base/base_auto_retriever.py:35
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/base/base_auto_retriever.py:33
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/selectors/llm_selectors.py:215
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llama_dataset/legacy/embedding.py:72
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/flare/answer_inserter.py:165
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/flare/base.py:188
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/faithfulness.py:133
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/relevancy.py:112
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/multi_agent_workflow.py:758
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/multi_agent_workflow.py:771
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/multi_agent_workflow.py:745
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/base_agent.py:725
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/base_agent.py:738
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/agent/workflow/base_agent.py:712
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/node_parser/text/semantic_splitter.py:160
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/node_parser/text/semantic_splitter.py:263
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_retriever.py:223
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_retriever.py:339
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_embedding_retriever.py:106
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:87
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:99
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:146
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:116
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'sql_query_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:253
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:109
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:247
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_query.py:257
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/json_query.py:158
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'handle_llm_prompt_template' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:574
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:164
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:579
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:157
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:190
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:541
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'text' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:160
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:204
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:234
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/keyword_table/retrievers.py:156
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'text' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/keyword_table/base.py:239
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/keyword_table/base.py:243
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:202
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:208
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:203
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:259
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:195
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/list/retrievers.py:124
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/list/retrievers.py:191
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/document_summary/retrievers.py:81
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/document_summary/retrievers.py:157
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/feedback_transform.py:103
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_bundle_or_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:73
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:73
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:143
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:67
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:139
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:189
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/query/query_transform/base.py:297
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/common/struct_store/base.py:213
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/common/struct_store/base.py:192
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/vector_store/retrievers/auto_retriever/auto_retriever.py:158
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/transformations/dynamic_llm.py:296
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/transformations/simple_llm.py:78
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/transformations/schema_llm.py:246
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/sub_retrievers/vector.py:85
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/sub_retrievers/text_to_cypher.py:137
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/sub_retrievers/cypher_template.py:52
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/protocols/llama-index-protocols-ag-ui/llama_index/protocols/ag_ui/agent.py:89
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai/llama_index/llms/openai/responses.py:279
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai/llama_index/llms/openai/base.py:486
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:183
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:214
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-siliconflow/llama_index/llms/siliconflow/base.py:550
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:225
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:263
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:284
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-langchain/llama_index/llms/langchain/base.py:86
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:657
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:388
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:436
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ipex-llm/llama_index/llms/ipex_llm/base.py:473
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ipex-llm/llama_index/llms/ipex_llm/base.py:487
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mlx/llama_index/llms/mlx/base.py:284
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:261
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:264
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:290
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:241
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:268
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:456
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:496
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:532
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:576
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:519
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-vertex/llama_index/llms/vertex/utils.py:109
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-vertex/llama_index/llms/vertex/utils.py:111
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:364
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:430
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:746
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:750
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:359
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:422
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:379
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:415
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:410
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:450
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:514
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:421
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:249
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:268
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:287
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:340
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:283
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:330
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openvino/llama_index/llms/openvino/base.py:92
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:230
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:235
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:287
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:261
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-predibase/llama_index/llms/predibase/base.py:273
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-contextual/llama_index/llms/contextual/base.py:181
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:269
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:379
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:243
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:301
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai-like/llama_index/llms/openai_like/base.py:155
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai-like/llama_index/llms/openai_like/base.py:173
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openai-like/llama_index/llms/openai_like/base.py:166
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-replicate/llama_index/llms/replicate/base.py:111
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-yi/llama_index/llms/yi/base.py:125
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-yi/llama_index/llms/yi/base.py:143
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-yi/llama_index/llms/yi/base.py:136
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-modelscope/llama_index/llms/modelscope/base.py:171
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-modelscope/llama_index/llms/modelscope/base.py:183
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-modelscope/llama_index/llms/modelscope/base.py:180
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:356
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:389
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:504
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:353
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:474
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openvino-genai/llama_index/llms/openvino_genai/base.py:395
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:155
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-llama-cpp/llama_index/llms/llama_cpp/base.py:258
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:312
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:365
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:312
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:365
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:570
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:621
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:723
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:306
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:357
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:558
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:599
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:701
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to code_execution sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:256
Scan critical

Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required

LLM output flows to code_execution sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:341
Scan critical

Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required

Direct execution of LLM-generated code in 'setup_distributed_model'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:262
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Direct execution of LLM output in 'setup_model'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:192
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

Direct execution of LLM output in 'setup_distributed_model'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gaudi/llama_index/llms/gaudi/utils.py:262
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-clarifai/llama_index/llms/clarifai/base.py:151
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:106
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:140
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:220
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:243
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:261
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:272
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:298
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:432
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:417
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:452
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-nvidia-tensorrt/llama_index/llms/nvidia_tensorrt/base.py:247
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-nvidia-tensorrt/llama_index/llms/nvidia_tensorrt/base.py:291
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface/llama_index/llms/huggingface/base.py:318
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface/llama_index/llms/huggingface/base.py:398
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-bedrock/llama_index/llms/bedrock/base.py:354
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:245
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:342
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:413
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:238
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:340
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:405
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:385
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:402
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:419
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:436
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:380
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:395
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:412
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-cloudflare-ai-gateway/llama_index/llms/cloudflare_ai_gateway/base.py:429
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-palm/llama_index/llms/palm/base.py:145
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:113
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:155
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:148
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-oracleai/llama_index/readers/oracleai/base.py:198
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Direct execution of LLM output in 'read_file'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-oracleai/llama_index/readers/oracleai/base.py:108
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

Direct execution of LLM output in 'load'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-oracleai/llama_index/readers/oracleai/base.py:198
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

User input 'urls' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/zyte_web/base.py:162
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/zyte_web/base.py:162
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'urls' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/async_web/base.py:140
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/async_web/base.py:140
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:70
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:79
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:62
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-pandas-ai/llama_index/readers/pandas_ai/base.py:72
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-dashscope/llama_index/readers/dashscope/base.py:367
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-dashscope/llama_index/readers/dashscope/base.py:431
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/repository/base.py:420
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/repository/base.py:486
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/collaborators/base.py:102
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/issues/base.py:120
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-nougat-ocr/llama_index/readers/nougat_ocr/base.py:15
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Direct execution of LLM-generated code in 'nougat_ocr'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-nougat-ocr/llama_index/readers/nougat_ocr/base.py:11
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Direct execution of LLM output in 'nougat_ocr'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-nougat-ocr/llama_index/readers/nougat_ocr/base.py:11
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-opendal/llama_index/readers/opendal/base.py:54
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-jaguar/llama_index/readers/jaguar/base.py:158
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-jaguar/llama_index/readers/jaguar/base.py:207
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'contexts_list' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/evaluation/llama-index-evaluation-tonic-validate/llama_index/evaluation/tonic_validate/tonic_validate_evaluator.py:156
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/evaluation/llama-index-evaluation-tonic-validate/llama_index/evaluation/tonic_validate/tonic_validate_evaluator.py:156
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'query_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/response_synthesizers/llama-index-response-synthesizers-google/llama_index/response_synthesizers/google/base.py:154
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/response_synthesizers/llama-index-response-synthesizers-google/llama_index/response_synthesizers/google/base.py:128
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/program/llama-index-program-evaporate/llama_index/program/evaporate/extractor.py:118
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/program/llama-index-program-evaporate/llama_index/program/evaporate/extractor.py:240
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/program/llama-index-program-lmformatenforcer/llama_index/program/lmformatenforcer/base.py:103
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/storage/chat_store/llama-index-storage-chat-store-redis/llama_index/storage/chat_store/redis/base.py:287
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/voice_agents/llama-index-voice-agents-openai/llama_index/voice_agents/openai/audio_interface.py:119
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/voice_agents/llama-index-voice-agents-openai/llama_index/voice_agents/openai/audio_interface.py:113
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/neo4j_property_graph.py:650
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:290
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:290
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:176
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:186
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:193
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/kg_base.py:89
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/kg_base.py:89
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/kg_base.py:86
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-memgraph/llama_index/graph_stores/memgraph/property_graph.py:648
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:143
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:178
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:364
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:84
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:94
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'messages' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-rankgpt-rerank/llama_index/postprocessor/rankgpt_rerank/base.py:162
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-rankgpt-rerank/llama_index/postprocessor/rankgpt_rerank/base.py:66
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-rankgpt-rerank/llama_index/postprocessor/rankgpt_rerank/base.py:160
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-ibm/llama_index/postprocessor/ibm/base.py:258
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'documents' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-alibabacloud-aisearch/llama_index/node_parser/alibabacloud_aisearch/base.py:102
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-clarifai/llama_index/embeddings/clarifai/base.py:94
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-google/llama_index/embeddings/google/palm.py:57
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-google/llama_index/embeddings/google/gemini.py:69
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-langchain/llama_index/embeddings/langchain/base.py:62
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-fastembed/llama_index/embeddings/fastembed/base.py:120
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-gemini/llama_index/embeddings/gemini/base.py:94
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-heroku/examples/basic_usage.py:7
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous code_execution sink/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-nomic/llama_index/embeddings/nomic/base.py:200
Scan critical

Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required 4. Use allowlists for permitted operations 5. Consider structured output formats (JSON) instead

Direct execution of LLM-generated code in '__init__'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-nomic/llama_index/embeddings/nomic/base.py:165
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Direct execution of LLM output in '__init__'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-nomic/llama_index/embeddings/nomic/base.py:165
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:178
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'text' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:186
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:178
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:186
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-api/llama_index/embeddings/huggingface_api/base.py:172
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-isaacus/examples/basic_usage.py:8
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:519
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'text' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:527
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:519
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:527
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:202
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface/llama_index/embeddings/huggingface/base.py:513
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-vertex/llama_index/embeddings/vertex/base.py:214
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/utils.py:44
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/base.py:85
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-ibm/llama_index/embeddings/ibm/base.py:231
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-clip/llama_index/embeddings/clip/base.py:98
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'text' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-openai/llama_index/tools/openai/image_generation/base.py:122
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:68
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:319
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:328
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:337
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:595
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:622
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:662
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:68
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:113
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/cassandra_database_wrapper.py:60
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/base.py:41
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-cassandra/llama_index/tools/cassandra/base.py:29
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-waii/llama_index/tools/waii/base.py:57
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-waii/llama_index/tools/waii/base.py:82
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-waii/llama_index/tools/waii/base.py:111
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-code-interpreter/llama_index/tools/code_interpreter/base.py:34
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Direct execution of LLM-generated code in 'code_interpreter'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-code-interpreter/llama_index/tools/code_interpreter/base.py:21
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Critical decision without oversight in 'code_interpreter'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-code-interpreter/llama_index/tools/code_interpreter/base.py:21
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

User input 'message' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-slack/llama_index/tools/slack/base.py:54
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-slack/llama_index/tools/slack/base.py:46
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-mcp/llama_index/tools/mcp/utils.py:110
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-mcp/llama_index/tools/mcp/utils.py:113
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-mcp/llama_index/tools/mcp/base.py:230
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'neo4j_query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:89
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'question' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:148
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:148
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:74
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'text' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-elevenlabs/llama_index/tools/elevenlabs/base.py:102
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-text-to-image/llama_index/tools/text_to_image/base.py:35
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:157
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:214
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:262
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:310
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:358
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:406
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:454
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:502
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:550
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-vectara/llama_index/indices/managed/vectara/retriever.py:718
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-vectara/llama_index/indices/managed/vectara/retriever.py:713
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Unsafe data loading with pickle.load in training context/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-bge-m3/llama_index/indices/managed/bge_m3/base.py:157
Scan critical

Secure Data Loading: 1. Use safetensors instead of pickle for model weights 2. For torch.load, use weights_only=True 3. Verify checksums/signatures before loading 4. Only load data from trusted, verified sources 5. Implement content scanning before deserialization 6. Consider using JSON/YAML for configuration data

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-llama-cloud/llama_index/indices/managed/llama_cloud/retriever.py:147
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'ref_doc_id' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:176
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:217
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:216
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-moorcheh/llama_index/vector_stores/moorcheh/base.py:310
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-moorcheh/llama_index/vector_stores/moorcheh/base.py:423
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-solr/llama_index/vector_stores/solr/base.py:839
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azureaisearch/llama_index/vector_stores/azureaisearch/base.py:852
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azurepostgresql/llama_index/vector_stores/azure_postgres/common/_shared.py:92
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azurepostgresql/llama_index/vector_stores/azure_postgres/common/_shared.py:99
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-azurepostgresql/llama_index/vector_stores/azure_postgres/common/_shared.py:103
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:158
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:218
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:258
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:272
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:300
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:302
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:365
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:482
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:493
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-baiduvectordb/llama_index/vector_stores/baiduvectordb/base.py:577
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-baiduvectordb/llama_index/vector_stores/baiduvectordb/base.py:563
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:481
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:481
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:449
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-mysql/llama_index/vector_stores/alibabacloud_mysql/base.py:796
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-mysql/llama_index/vector_stores/alibabacloud_mysql/base.py:808
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

User input 'ref_doc_id' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:285
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:334
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:328
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'ref_doc_id' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:888
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:911
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:94
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:902
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'ref_doc_id' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:390
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:497
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:466
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-integrations/sparse_embeddings/llama-index-sparse-embeddings-fastembed/llama_index/sparse_embeddings/fastembed/base.py:114
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/embeddings/adapter.py:119
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/embeddings/adapter_utils.py:51
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/embeddings/common.py:103
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/mistralai/base.py:76
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/azure_openai/base.py:118
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/cross_encoders/dataset_gen.py:121
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/openai/base.py:60
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'website_url' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-amazon-product-extraction/llama_index/packs/amazon_product_extraction/base.py:68
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-koda-retriever/llama_index/packs/koda_retriever/base.py:125
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

User input 'query' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:393
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:366
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:393
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-longrag/llama_index/packs/longrag/base.py:391
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-diff-private-simple-dataset/llama_index/packs/diff_private_simple_dataset/base.py:311
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-diff-private-simple-dataset/llama_index/packs/diff_private_simple_dataset/base.py:411
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:278
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:321
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-dense-x-retrieval/llama_index/packs/dense_x_retrieval/base.py:158
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-streamlit-chatbot/llama_index/packs/streamlit_chatbot/base.py:41
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-streamlit-chatbot/llama_index/packs/streamlit_chatbot/base.py:41
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output flows to sql_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-multi-tenancy-rag/llama_index/packs/multi_tenancy_rag/base.py:38
Scan critical

Mitigations for SQL Injection: 1. Use parameterized queries: cursor.execute(query, (param,)) 2. Never concatenate LLM output into SQL 3. Use ORM query builders (SQLAlchemy, Django ORM)

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-multi-tenancy-rag/llama_index/packs/multi_tenancy_rag/base.py:25
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-raptor/llama_index/packs/raptor/base.py:141
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-self-discover/llama_index/packs/self_discover/base.py:197
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llama-guard-moderator/llama_index/packs/llama_guard_moderator/base.py:99
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_str' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-mixture-of-agents/llama_index/packs/mixture_of_agents/base.py:182
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-mixture-of-agents/llama_index/packs/mixture_of_agents/base.py:182
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-mixture-of-agents/llama_index/packs/mixture_of_agents/base.py:180
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

LLM output used in dangerous code_execution sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:70
Scan critical

Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required 4. Use allowlists for permitted operations 5. Consider structured output formats (JSON) instead

LLM output used in dangerous code_execution sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:71
Scan critical

Mitigations for Code Execution: 1. Never pass LLM output to eval() or exec() 2. Use safe alternatives (ast.literal_eval for data) 3. Implement sandboxing if code execution is required 4. Use allowlists for permitted operations 5. Consider structured output formats (JSON) instead

Model DoS vulnerability: LLM calls in loops, No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:38
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:165
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Direct execution of LLM-generated code in '__init__'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:51
Scan critical

Code Execution Security: 1. NEVER execute LLM-generated code directly with exec()/eval() 2. If code execution is necessary, use sandboxed environments (Docker, VM) 3. Implement strict code validation and static analysis before execution 4. Use allowlists for permitted functions/modules 5. Set resource limits (CPU, memory, time) for execution 6. Parse and validate code structure before running 7. Consider using safer alternatives (JSON, declarative configs) 8. Log all code execution attempts with full context 9. Require human review for generated code 10. Use tools like RestrictedPython for safer Python execution

Direct execution of LLM output in '__init__'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:51
Scan critical

NEVER directly execute LLM-generated code: 1. Remove direct execution: - Do not use eval(), exec(), or os.system() - Avoid dynamic code execution - Use safer alternatives (allow-lists) 2. If code generation is required: - Generate code for review only - Require human approval before execution - Use sandboxing (containers, VMs) - Implement strict security policies 3. Use structured outputs: - Return data, not code - Use JSON schemas - Define clear interfaces 4. Add safeguards: - Static code analysis before execution - Whitelist allowed operations - Rate limiting and monitoring

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llava-completion/llama_index/packs/llava_completion/base.py:39
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-instrumentation/src/llama_index_instrumentation/dispatcher.py:325
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/param_tuner/base.py:204
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: LLM calls in loops, No rate limiting, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/nudge/base.py:64
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'prompt' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/jsonalyze_query_engine.py:102
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/jsonalyze_query_engine.py:54
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/jsonalyze/jsonalyze_query_engine.py:287
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/polars/polars_query_engine.py:160
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/query_engine/pandas/pandas_query_engine.py:177
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

User input 'query_bundle' embedded in LLM prompt/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/retrievers/natural_language/nl_data_frame_retriever.py:217
Scan critical

Mitigations: 1. Use structured prompt templates (e.g., LangChain PromptTemplate) 2. Implement input sanitization to remove prompt injection patterns 3. Use separate 'user' and 'system' message roles (ChatML format) 4. Apply input validation and length limits 5. Use allowlists for expected input formats 6. Consider prompt injection detection libraries

LLM output used in dangerous command_injection sink/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/retrievers/natural_language/nl_data_frame_retriever.py:217
Scan critical

Mitigations for Command Injection: 1. Never pass LLM output to shell commands 2. Use subprocess with shell=False and list arguments 3. Apply allowlist validation for expected values 4. Use shlex.quote() if shell execution is unavoidable 5. Consider alternative APIs that don't use shell

Model DoS vulnerability: No rate limiting, No input length validation, No timeout configuration, No token/context limits/private/tmp/llamaindex-test/llama-index-experimental/llama_index/experimental/retrievers/natural_language/nl_data_frame_retriever.py:216
Scan critical

Model DoS Mitigations: 1. Implement rate limiting per user/IP (@limiter.limit('10/minute')) 2. Validate and limit input length (max 1000 chars) 3. Set token limits (max_tokens=500) 4. Configure timeouts (timeout=30 seconds) 5. Avoid LLM calls in unbounded loops 6. Implement circuit breakers for cascading failures 7. Monitor and alert on resource usage 8. Use queuing for batch processing 9. Implement cost controls and budgets

Use of pickle for serialization/private/tmp/llamaindex-test/llama-index-core/llama_index/core/schema.py:8
Scan high

Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange

Insecure tool function 'perform_request' executes dangerous operations/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-deepinfra/llama_index/llms/deepinfra/client.py:46
Scan high

Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations

Insecure tool function 'perform_request' executes dangerous operations/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-deepinfra/llama_index/llms/deepinfra/client.py:76
Scan high

Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations

Insecure tool function '_perform_request' executes dangerous operations/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-mondaydotcom/llama_index/readers/mondaydotcom/base.py:39
Scan high

Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations

Critical decision without oversight in '_get_credentials'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/calendar/base.py:107
Scan high

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_get_credentials'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/sheets/base.py:180
Scan high

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_get_credentials'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/chat/base.py:249
Scan high

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_get_credentials'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/drive/base.py:163
Scan high

Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_get_credentials'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-google/llama_index/readers/google/gmail/base.py:53
Scan high

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/graph.py:185
Scan high

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:364
Scan high

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Model artifacts exposed without protection in 'create_and_save_openvino_model'/private/tmp/llamaindex-test/llama-index-integrations/postprocessor/llama-index-postprocessor-openvino-rerank/llama_index/postprocessor/openvino_rerank/base.py:112
Scan high

Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs

Model artifacts exposed without protection in 'create_and_save_optimum_model'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-optimum/llama_index/embeddings/huggingface_optimum/base.py:87
Scan high

Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs

Unsafe data loading with torch.load in training context/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/utils.py:50
Scan high

Secure Data Loading: 1. Use safetensors instead of pickle for model weights 2. For torch.load, use weights_only=True 3. Verify checksums/signatures before loading 4. Only load data from trusted, verified sources 5. Implement content scanning before deserialization 6. Consider using JSON/YAML for configuration data

Model artifacts exposed without protection in 'save'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/utils.py:36
Scan high

Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs

Model artifacts exposed without protection in 'create_and_save_openvino_model'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-openvino/llama_index/embeddings/huggingface_openvino/base.py:148
Scan high

Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs

Model artifacts exposed without protection in 'create_and_save_openvino_model'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-huggingface-openvino/llama_index/embeddings/huggingface_openvino/base.py:271
Scan high

Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs

Critical decision without oversight in '_get_credentials'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-google/llama_index/tools/google/calendar/base.py:121
Scan high

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_get_credentials'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-google/llama_index/tools/google/gmail/base.py:51
Scan high

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Insecure tool function 'list_actions' executes dangerous operations/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-zapier/llama_index/tools/zapier/base.py:59
Scan high

Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations

Insecure tool function 'run_ingestion' executes dangerous operations/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-dashscope/llama_index/indices/managed/dashscope/utils.py:31
Scan high

Secure Tool/Plugin Implementation: 1. NEVER execute shell commands from LLM output directly 2. Use allowlists for permitted commands/operations 3. Validate all file paths against allowed directories 4. Use parameterized queries - never raw SQL from LLM 5. Validate URLs against allowlist before HTTP requests 6. Implement strict input schemas (JSON Schema, Pydantic) 7. Add rate limiting and request throttling 8. Log all tool invocations for audit 9. Use principle of least privilege 10. Implement human-in-the-loop for destructive operations

Model artifacts exposed without protection in 'push_to_hub'/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/cross_encoders/cross_encoder.py:103
Scan high

Protect model artifacts from unauthorized access: 1. Implement strict access control: - Require authentication for model downloads - Use role-based access control (RBAC) - Log all artifact access attempts 2. Store artifacts securely: - Use private S3 buckets with signed URLs - Never store in /static or /public directories - Encrypt at rest and in transit 3. Model obfuscation: - Use model encryption - Implement model quantization - Remove unnecessary metadata 4. Add legal protection: - Include license files with models - Add watermarks to model outputs - Use model fingerprinting 5. Monitor access: - Track who downloads models - Alert on unauthorized access - Maintain audit logs

Critical decision without oversight in 'run'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-streamlit-chatbot/llama_index/packs/streamlit_chatbot/base.py:41
Scan high

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Use of pickle for serialization/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-txtai/llama_index/vector_stores/txtai/base.py:11
Scan medium

Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange

Critical decision without oversight in 'bump'/private/tmp/llamaindex-test/llama-dev/llama_dev/pkg/bump.py:32
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'reset'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:218
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_summarize_oldest_chat_history'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/chat_summary_memory_buffer.py:262
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'reset'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/memory/types.py:146
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Use of pickle for serialization/private/tmp/llamaindex-test/llama-index-core/llama_index/core/objects/base_node_mapping.py:4
Scan low

Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange

Use of pickle for serialization/private/tmp/llamaindex-test/llama-index-core/llama_index/core/objects/base.py:3
Scan low

Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange

Critical decision without oversight in '__call__'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/program/multi_modal_llm_program.py:102
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'format_messages'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/prompts/rich.py:81
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'get_response'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/simple_summarize.py:76
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_refine_response_single'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/response_synthesizers/refine.py:275
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'synthesize'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_context.py:158
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/simple.py:75
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/simple.py:108
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'synthesize'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/chat_engine/multi_modal_condense_plus_context.py:237
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:53
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/llms/structured_llm.py:74
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'synthesize'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/multi_modal.py:111
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_query'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/query_engine/flare/base.py:188
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'evaluate'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/faithfulness.py:133
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'evaluate'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/evaluation/multi_modal/relevancy.py:112
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_query_with_selected_node'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/select_leaf_retriever.py:110
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_insert_under_parent_and_consolidate'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/tree/inserter.py:49
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_query'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/json_query.py:158
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'parse_response_to_sql'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/struct_store/sql_retriever.py:160
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_retrieve'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/retrievers.py:190
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_insert'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/knowledge_graph/base.py:234
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_insert_nodes'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/property_graph/base.py:195
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'build_index_from_nodes'/private/tmp/llamaindex-test/llama-index-core/llama_index/core/indices/common_tree/base.py:140
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_snapshot_messages'/private/tmp/llamaindex-test/llama-index-integrations/protocols/llama-index-protocols-ag-ui/llama_index/protocols/ag_ui/agent.py:89
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '__init__'/private/tmp/llamaindex-test/llama-index-integrations/extractors/llama-index-extractors-entity/llama_index/extractors/entity/base.py:66
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:183
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-premai/llama_index/llms/premai/base.py:214
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:225
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:263
Scan low

Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'gen'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-genai/llama_index/llms/oci_genai/base.py:284
Scan low

Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'gen'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-langchain/llama_index/llms/langchain/base.py:125
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:388
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:436
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'gen'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ollama/llama_index/llms/ollama/base.py:445
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ipex-llm/llama_index/llms/ipex_llm/base.py:487
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:241
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:268
Scan low

Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:309
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistral-rs/llama_index/llms/mistral_rs/base.py:335
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-oci-data-science/llama_index/llms/oci_data_science/base.py:519
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:359
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-mistralai/llama_index/llms/mistralai/base.py:422
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ibm/llama_index/llms/ibm/base.py:514
Scan low

Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:191
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-xinference/llama_index/llms/xinference/base.py:213
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:283
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:310
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:330
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'gen'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface-api/llama_index/llms/huggingface_api/base.py:336
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '__init__'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-openvino/llama_index/llms/openvino/base.py:92
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:208
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:237
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'gen'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-sagemaker-endpoint/llama_index/llms/sagemaker_endpoint/base.py:246
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:243
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:301
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'gen'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-zhipuai/llama_index/llms/zhipuai/base.py:306
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-azure-inference/llama_index/llms/azure_inference/base.py:383
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:155
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:195
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:228
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-reka/llama_index/llms/reka/base.py:282
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-llama-cpp/llama_index/llms/llama_cpp/base.py:272
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-llama-cpp/llama_index/llms/llama_cpp/base.py:285
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:306
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:357
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'structured_predict_without_function_calling'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:558
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_structured_predict'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:701
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'gen'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-google-genai/llama_index/llms/google_genai/base.py:731
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:106
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-friendli/llama_index/llms/friendli/base.py:140
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:272
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gemini/llama_index/llms/gemini/base.py:298
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '__init__'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:198
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:417
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:444
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-anthropic/llama_index/llms/anthropic/base.py:452
Scan low

Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-nvidia-tensorrt/llama_index/llms/nvidia_tensorrt/base.py:297
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-huggingface/llama_index/llms/huggingface/base.py:318
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_j2_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:340
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-ai21/llama_index/llms/ai21/base.py:405
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'complete'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:105
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-integrations/llms/llama-index-llms-gigachat/llama_index/llms/gigachat/base.py:148
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'load_data'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-file/llama_index/readers/file/image/base.py:75
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'extract_text_from_image'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-paddle-ocr/llama_index/readers/paddle_ocr/base.py:22
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'load_data'/private/tmp/llamaindex-test/llama-index-integrations/readers/llama-index-readers-github/llama_index/readers/github/collaborators/base.py:102
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/storage/kvstore/llama-index-storage-kvstore-elasticsearch/llama_index/storage/kvstore/elasticsearch/base.py:303
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'structured_query'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/neo4j_property_graph.py:612
Scan low

Critical financial decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'query'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:260
Scan low

Critical financial decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete_entity'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neo4j/llama_index/graph_stores/neo4j/base.py:184
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'get'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:143
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'get_triplets'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:178
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'vector_query'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-tidb/llama_index/graph_stores/tidb/property_graph.py:423
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete_rel'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:82
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete_entity'/private/tmp/llamaindex-test/llama-index-integrations/graph_stores/llama-index-graph-stores-neptune/llama_index/graph_stores/neptune/base.py:92
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '_ensure_run'/private/tmp/llamaindex-test/llama-index-integrations/callbacks/llama-index-callbacks-wandb/llama_index/callbacks/wandb/base.py:536
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'build_localised_splits'/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-slide/llama_index/node_parser/slide/base.py:203
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'proposition_transfer'/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-topic/llama_index/node_parser/topic/base.py:129
Scan low

Critical financial, security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'is_same_topic_llm'/private/tmp/llamaindex-test/llama-index-integrations/node_parser/llama-index-node-parser-topic/llama_index/node_parser/topic/base.py:154
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in '__init__'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-upstage/llama_index/embeddings/upstage/base.py:63
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'main'/private/tmp/llamaindex-test/llama-index-integrations/embeddings/llama-index-embeddings-isaacus/examples/basic_usage.py:8
Scan low

Critical legal decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'construct_cypher_query'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-neo4j/llama_index/tools/neo4j/base.py:94
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'generate_images'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-text-to-image/llama_index/tools/text_to_image/base.py:20
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete_files'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:333
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'write_files'/private/tmp/llamaindex-test/llama-index-integrations/tools/llama-index-tools-aws-bedrock-agentcore/llama_index/tools/aws_bedrock_agentcore/code_interpreter/base.py:381
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Use of pickle for serialization/private/tmp/llamaindex-test/llama-index-integrations/indices/llama-index-indices-managed-bge-m3/llama_index/indices/managed/bge_m3/base.py:3
Scan low

Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:175
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete_nodes'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-wordlift/llama_index/vector_stores/wordlift/base.py:183
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'query'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-moorcheh/llama_index/vector_stores/moorcheh/base.py:310
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:142
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'add_text'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:220
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'drop'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-jaguar/llama_index/vector_stores/jaguar/base.py:484
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'clear'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-baiduvectordb/llama_index/vector_stores/baiduvectordb/base.py:394
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'database_query'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-neo4jvector/llama_index/vector_stores/neo4jvector/base.py:449
Scan low

Critical financial decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-alibabacloud-opensearch/llama_index/vector_stores/alibabacloud_opensearch/base.py:277
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-lindorm/llama_index/vector_stores/lindorm/base.py:879
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:377
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'delete_nodes'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:411
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'clear'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-elasticsearch/llama_index/vector_stores/elasticsearch/base.py:631
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'add'/private/tmp/llamaindex-test/llama-index-integrations/vector_stores/llama-index-vector-stores-pinecone/llama_index/vector_stores/pinecone/base.py:294
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'generate_synthetic_queries_over_documents'/private/tmp/llamaindex-test/llama-index-finetuning/llama_index/finetuning/cross_encoders/dataset_gen.py:35
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Use of pickle for serialization/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-recursive-retriever/llama_index/packs/recursive_retriever/embedded_tables_unstructured/base.py:4
Scan low

Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange

Critical decision without oversight in 'generate_instructions_gen'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-raft-dataset/llama_index/packs/raft_dataset/base.py:98
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'add_chunk_to_dataset'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-raft-dataset/llama_index/packs/raft_dataset/base.py:140
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'chat'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:278
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'stream_chat'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-cohere-citation-chat/llama_index/packs/cohere_citation_chat/citations_context_chat_engine.py:321
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Use of pickle for serialization/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-panel-chatbot/llama_index/packs/panel_chatbot/app.py:4
Scan low

Secure Serialization: 1. Use safer alternatives like safetensors 2. Never deserialize from untrusted sources 3. Consider using ONNX for model exchange

Critical decision without oversight in '__init__'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llama-guard-moderator/llama_index/packs/llama_guard_moderator/base.py:56
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'run'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-llama-guard-moderator/llama_index/packs/llama_guard_moderator/base.py:99
Scan low

Critical security decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'execute'/private/tmp/llamaindex-test/llama-index-packs/llama-index-packs-searchain/llama_index/packs/searchain/base.py:165
Scan low

Critical security, data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'span'/private/tmp/llamaindex-test/llama-index-instrumentation/src/llama_index_instrumentation/dispatcher.py:264
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards

Critical decision without oversight in 'handle_future_result'/private/tmp/llamaindex-test/llama-index-instrumentation/src/llama_index_instrumentation/dispatcher.py:300
Scan low

Critical data_modification decision requires human oversight: 1. Implement human-in-the-loop review: - Add review queue for high-stakes decisions - Require explicit human approval before execution - Log all decisions for audit trail 2. Add verification mechanisms: - Cross-reference with trusted sources - Implement multi-step verification - Use confidence thresholds 3. Include safety checks: - Set limits on transaction amounts - Require secondary confirmation - Implement rollback mechanisms 4. Add disclaimers: - Inform users output may be incorrect - Recommend professional consultation - Document limitations clearly 5. Monitor and review: - Track decision outcomes - Review failures and near-misses - Continuously improve safeguards