Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-3046
Analyzed
More InfoOfficial Page
Source-security@huntr.dev
View Known Exploited Vulnerability (KEV) details
Published At-07 Jul, 2025 | 10:15
Updated At-30 Jul, 2025 | 21:25

A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
llamaindex
llamaindex
>>llamaindex>>Versions from 0.12.23(inclusive) to 0.12.28(exclusive)
cpe:2.3:a:llamaindex:llamaindex:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-22Secondarysecurity@huntr.dev
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42esecurity@huntr.dev
Patch
https://huntr.com/bounties/90a1f1b2-bb82-4d66-9fc1-856ed5f904dasecurity@huntr.dev
Exploit
Third Party Advisory
https://huntr.com/bounties/90a1f1b2-bb82-4d66-9fc1-856ed5f904da134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
Change History
0Changes found
Details not found