Much like Ollama and llama.cpp, LlamaIndex supplies an utility layer for connecting your knowledge to LLMs and interacting with it by way of a chat interface. Whereas LlamaIndex is an open supply venture like different LLM utility frameworks, LlamaIndex can be an organization, with a current Collection A, a business providing, and a extra polished aesthetic than their strictly DIY counterparts. Maybe as a result of LlamaIndex provides a managed different, there are fewer self-hosted LlamaIndex cases than comparable open supply initiatives, although it could be that they’re hosted in methods more durable to detect with web serps.
About LlamaIndex
The LlamaIndex firm distinguishes between two elements: LlamaCloud, their business providing that hosts the product and connects it to prospects’ knowledge sources, and LlamaIndex, the open supply software program that customers can host in the event that they need to deal with the info ingestion on their very own.
From www.llamaindex.ai
The info integration capabilities of LlamaCloud level to why customers would select LlamaIndex over one thing like Ollama. Whereas LlamaIndex can be utilized strictly as a frontend for prompting a mannequin, the true profit is connecting it to a company’s knowledge sources for retrieval-augmented technology–a generative AI technique that may be helpful each for public, finish user-facing functions and for inside functions working on confidential knowledge.
As an open supply venture, LlamaIndex could be very common, with 41k stars and 5.9k forks on Github. Placing these within the context of the main strictly open supply initiatives, nevertheless, we will see it has much less adoption amongst that neighborhood than Ollama (141k stars and 11.8k forks) and the unique llama.cpp (80.3k stars and 11.8k).
Discovering accessible LlamaIndex apps
To search out LlamaIndex cases we used figuring out options like web page title and favicon to question web serps. These search strategies aren’t good–customers can change the web page title and favicon–however are efficient for gaining some broad visibility.
For risk intelligence groups trying to analysis their very own potential publicity through LlamaIndex cases, the Shodan dork for LlamaIndex’s favicon is “Http.favicon.hash:-1404538293”. That presently returns 34 outcomes. They can be recognized by the default title “Create Llama App,” which has 24 outcomes.
Censys provides a number of choices that finally quantity to fairly comparable outcomes.
41 outcomes for internet.endpoints.http.html_title = “Create Llama App”48 outcomes for internet.endpoints.http.html_tags = “”96 outcomes for internet.endpoints.http.favicons.hash_md5 = “18bd095298992dd12d863c10cbe0857c”
The Censys favicon search seems to seek out way more, however it is because Censys returns separate search outcomes for the IP handle and hostname. That stated, there are variations by which hosts Shodan and Censys determine, making it useful to make use of each when doable.
One other discovery mechanism is to make use of Google dorking to seek for comparable options. This methodology returns few outcomes however illustrates how there will be cases on subdomains of cloud service suppliers that aren’t essentially discoverable when scanning by IP handle. LlamaIndex’s www.secinsights.ai is one other instance of a web site powered by LlamaIndex the place default options just like the favicon and title have been modified.
Compared to different applied sciences, round 50 cases isn’t loads– there are 460 llama.cpp servers and 18,000 Ollama servers. Primarily based on the venture’s Github exercise it appears affordable to suppose that there are extra LlamaIndex cases someplace, probably deployed to internet hosting companies within the blindspot of IP-based web serps. For organizations trying to absolutely perceive the publicity of their provide chain, subdomain enumeration and different DNS discovery instruments might probably discover extra apps utilizing LlamaIndex. The examples we did discover, although, have been ample as an instance the dangers related to misconfigured LlamaIndex cases.
Dangers of misconfigured LlamaIndex appsLeaking Personally Identifiable DataProfessional immediate engineering: in response to “hello” the app returns a CSV containing conversations between prospects and help employees.
The file included 10,102 traces of information, with about 100 traces of apparent check knowledge on the finish. The remaining included messages virtually completely in French describing help instances for HR time monitoring software program. For instance, one message in English reads partly: “Dear support team,|||On the 16 of May I had a day off under the category [redacted]. However, the system instead of taking into account the leave for the whole day, it took it only for 3 hours and the rest 5 hours it deducted them from my excess hours. Please find a screenshot of that week in [redacted] attached.”
Partial examples of help ticket knowledge with identifiable individual’s title redacted.
Different knowledge leakage dangers
One third of the LlamaIndex cases have been operational and allowed unauthenticated entry. Easy prompts resulted in them divulging no matter info that they had been offered. For instance, asking “what are you?” would trigger the bot to reply with contextual info to information additional queries.
Chatbot sharing its objective with minimal prompting. I really drive a Jetta, not a Jaguar F-PACE. That info is coming from a doc uploaded by the system’s operator.
In some instances, the bots would supply their reference paperwork straight; in others, they might state they might not present the paperwork however would reply any questions utilizing the knowledge in them. In reality, the bots have been fairly adept at utilizing all accessible info to attempt to discover solutions to questions. For instance, once I requested what yr a doc was from, it responded that there was no particular date within the doc, however that the filename contained a quantity that matched a DDMMYYYY date format, seemingly indicating the file was from April 2025. That chain of reasoning is precisely what we’d have executed if we had entry to the file itself.
Instance of app sharing PDFs straight
Instance of app that received’t share the doc however will suggest questions guiding its disclosure. Expanded assault floor dangers
A much less extreme threat, however one that may contribute to a lack of knowledge confidentiality, is exposing LlamaIndex apps to the web in any respect, thereby permitting attackers to try to authenticate or exploit vulnerabilities. Ideally inside chatbots would solely be accessible from an organization’s community. Working chatbots on their very own public IP will increase an organization’s assault floor and the overhead to keep up them. If person account or API credentials have been compromised, then attackers would be capable to entry the info. With identity-based assaults among the many largest contributors to knowledge breaches in 2024, that’s not far-fetched.
Publicly accessible login web page for a LlamaIndex utility. Conclusion
LlamaIndex is essentially just like different LLM chat interfaces, with some variations in its market place that result in variations in its web footprint. When uncovered to the web, these cases are then accessible for attackers to try to entry; when they’re configured with out authentication, they’re straight accessible to prompting. Relying on the particulars of occasion configuration, knowledge loaded into an uncovered LlamaIndex could also be straight accessible or extractable by way of prompting. The issues of AI knowledge leakage are observable within the wild in these cases and well worth the consideration of safety groups.
The observable leaks in self-hosted LlamaIndex cases shouldn’t be seen as a vulnerability on this software program; the truth is they could be probably the greatest promoting factors for the LlamaCloud service. Self-hosted software program is a persistent drawback in vulnerability administration, as every group operating self-hosted software program is answerable for making use of their very own updates. When new vulnerabilities are found, the businesses operating managed cases patch them rapidly, whereas these selecting to host it themselves typically lag behind. We now have seen this sample for years with Atlassian merchandise, the place accounts operating in Atlassian Cloud are safe whereas vulnerabilities are actively exploited for self-hosted cases. Equally, the current NextJS vulnerability was rapidly patched by Vercel for all cases underneath their administration whereas exploitation continued for these exterior their attain. One of many stuff you pay for with a managed service is safety, which is often cash nicely spent.