CVE-2025-6209

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-6209

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6209.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-6209

Aliases

Published

2025-07-07T13:15:28.823Z

Modified

2026-03-14T12:44:26.766973Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the encode_image function in generic_utils.py. This vulnerability allows an attacker to manipulate the image_path input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

References

Affected packages

Git / github.com/run-llama/llama_index

Affected ranges

Type

GIT

Repo

https://github.com/run-llama/llama_index

Events

Introduced

fb871e4751b136b04cbf104bdd36c5ead9b1af10

Fixed

98739a603768e37a98c70275113d98e5d1f0979e

Fixed

cdeaab91a204d1c3527f177dac37390327aef274

Database specific

{
    "versions": [
        {
            "introduced": "0.12.27"
        },
        {
            "fixed": "0.12.41"
        }
    ]
}

Affected versions

v0.*

v0.12.27

v0.12.28

v0.12.29

v0.12.30

v0.12.31

v0.12.32

v0.12.33

v0.12.34

v0.12.34.post1

v0.12.34.post2

v0.12.35

v0.12.36

v0.12.37

v0.12.38

v0.12.39

v0.12.40

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6209.json"