CVE-2025-3046 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

LlamaIndex's ObsidianReader blindly follows symlinks without path validation, letting anyone who can write to a vault directory read arbitrary host files during document ingestion. Patch to llama-index-readers-obsidian 0.5.1 immediately. This is especially dangerous in RAG pipelines where vault content is untrusted, shared, or synced from external sources.

Risk Assessment

CVSS 7.5 with no authentication, no user interaction, and low attack complexity makes exploitation straightforward for any attacker with write access to the vault directory. EPSS 0.00142 indicates no current active exploitation. Risk is elevated in multi-tenant setups, CI/CD pipelines auto-ingesting Obsidian vaults, or any deployment where vault content originates from untrusted parties. Absence from CISA KEV lowers urgency slightly, but the zero-friction exploitation path warrants prompt patching.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index-readers-obsidian	pip	< 0.5.1	`0.5.1`
49.1K 229 dependents Pushed 8d ago 87% patched ~50d to patch Full package profile →

Do you use llama-index-readers-obsidian? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 66% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

Upgrade llama-index-readers-obsidian to >= 0.5.1 immediately.
Audit vault directories for unexpected symlinks: find <vault_dir> -type l.
Run ingestion processes in containers or chrooted environments with filesystem access limited to the vault path.
If immediate upgrade is blocked, pre-scan vault contents by resolving all symlink targets and rejecting paths outside the vault root before invoking ObsidianReader.
Review existing vector store contents for anomalous data (credentials, config fragments) that may have been ingested prior to patching.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework RAG AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0085.000 - RAG Databases

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - AI system access control

NIST AI RMF

MS-2.5 - Manage: AI Risk Treatment

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-3046?

LlamaIndex's ObsidianReader blindly follows symlinks without path validation, letting anyone who can write to a vault directory read arbitrary host files during document ingestion. Patch to llama-index-readers-obsidian 0.5.1 immediately. This is especially dangerous in RAG pipelines where vault content is untrusted, shared, or synced from external sources.

Is CVE-2025-3046 actively exploited?

No confirmed active exploitation of CVE-2025-3046 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-3046?

1. Upgrade llama-index-readers-obsidian to >= 0.5.1 immediately. 2. Audit vault directories for unexpected symlinks: `find <vault_dir> -type l`. 3. Run ingestion processes in containers or chrooted environments with filesystem access limited to the vault path. 4. If immediate upgrade is blocked, pre-scan vault contents by resolving all symlink targets and rejecting paths outside the vault root before invoking ObsidianReader. 5. Review existing vector store contents for anomalous data (credentials, config fragments) that may have been ingested prior to patching.

What systems are affected by CVE-2025-3046?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, knowledge base loaders, agent frameworks.

What is the CVSS score for CVE-2025-3046?

CVE-2025-3046 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.49%.

Technical Details

NVD Description

A vulnerability in the `ObsidianReader` class in LlamaIndex Readers Integration: Obsidian before version 0.5.1 from the run-llama/llama_index repository (versions 0.12.23 to 0.12.28) allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

Exploitation Scenario

An attacker with write access to an Obsidian vault — via a compromised sync service (e.g., iCloud Drive, Git repo), shared network folder, or insider — places a symlink: `vault/notes.md -> /home/appuser/.env`. When the LlamaIndex ingestion job runs, ObsidianReader processes the symlink as a valid Markdown file and loads the .env contents into the RAG vector store. A downstream query such as 'list API keys in use' surfaces the credentials via normal LLM response. The attacker never touches the application directly — vault write access is the only requirement.