Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-6210

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in version 0.5.2.

Published

2025-07-07T10:15:29.040

Last Modified

2025-07-30T20:01:47.780

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.0: 6.2 (MEDIUM)

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	llamaindex	llamaindex	< 0.5.2	Yes

References

https://github.com/run-llama/llama_index/commit/a86c96ae0e662492eeb471b658ae849a93f628ff Patch ([email protected])
https://huntr.com/bounties/a654b322-a509-4448-a1f5-0f22850b4687 Exploit, Third Party Advisory ([email protected])