Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-53358

kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them, enabling attackers to traverse directories (e.g. ../../../../../.env) and exfiltrate sensitive files. This issue has been patched via commit 37cdc28, in version 0.10.7 which has not been made public at time of publication.

Published

2025-07-02T16:15:29.280

Last Modified

2025-07-03T15:13:53.147

Status

Awaiting Analysis

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

References

https://github.com/Cinnamon/kotaemon/commit/37cdc28ceb46e505d25221584daf1fe61e26b2cc ([email protected])
https://github.com/Cinnamon/kotaemon/pull/755 ([email protected])
https://github.com/Cinnamon/kotaemon/security/advisories/GHSA-jw4w-xcvf-jq5x ([email protected])