CVE-2025-7707

High CVSS: 7.8

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

Vendor

Llamaindex

Product

Llamaindex

CWE

CWE-377

Yayın Tarihi

2025-10-13 17:15:35

Güncelleme

2025-10-21 14:48:53

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-377 Llamaindex HIGH Llamaindex 2025

Referanslar

https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4 https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803

Benzer Kayıtlar

High

CVE-2024-14021

LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability i…

High

CVE-2024-58339

LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vuln…

Medium

CVE-2025-6211

A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the…

High

CVE-2025-6209

A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the…

Medium

CVE-2025-6210

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, al…

Medium

CVE-2025-5472

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive…