ByteOS Network

CVE Vulnerability Details :

CVE-2025-3046

PUBLISHED

More Info Official Page

Assigner-@huntr_ai

Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a

Published At-07 Jul, 2025 | 09:54

Updated At-07 Jul, 2025 | 14:00

▼CVE Numbering Authority (CNA)

Path Traversal via Symbolic Links in run-llama/llama_index

A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

Affected Products

Vendor

run-llama

Product

run-llama/llama_index

Versions

Affected

From unspecified before 0.12.28 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-22	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Metrics

Version	Base score	Base severity	Vector
3.0	7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Hyperlink	Resource
https://huntr.com/bounties/90a1f1b2-bb82-4d66-9fc1-856ed5f904da	N/A
https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e	N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

References

Hyperlink	Resource
https://huntr.com/bounties/90a1f1b2-bb82-4d66-9fc1-856ed5f904da	exploit

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References