CVE-2025-3046: LlamaIndex symlink traversal exposes

CISO Take

LlamaIndex's ObsidianReader blindly follows symlinks without path validation, letting anyone who can write to a vault directory read arbitrary host files during document ingestion. Patch to llama-index-readers-obsidian 0.5.1 immediately. This is especially dangerous in RAG pipelines where vault content is untrusted, shared, or synced from external sources.

What is the risk?

CVSS 7.5 with no authentication, no user interaction, and low attack complexity makes exploitation straightforward for any attacker with write access to the vault directory. EPSS 0.00142 indicates no current active exploitation. Risk is elevated in multi-tenant setups, CI/CD pipelines auto-ingesting Obsidian vaults, or any deployment where vault content originates from untrusted parties. Absence from CISA KEV lowers urgency slightly, but the zero-friction exploitation path warrants prompt patching.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LlamaIndex	pip	< 0.5.1	`0.5.1`
50.2K 238 dependents Pushed 3d ago 87% patched ~50d to patch Full package profile →

Do you use LlamaIndex? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Upgrade llama-index-readers-obsidian to >= 0.5.1 immediately.
Audit vault directories for unexpected symlinks: find <vault_dir> -type l.
Run ingestion processes in containers or chrooted environments with filesystem access limited to the vault path.
If immediate upgrade is blocked, pre-scan vault contents by resolving all symlink targets and rejecting paths outside the vault root before invoking ObsidianReader.
Review existing vector store contents for anomalous data (credentials, config fragments) that may have been ingested prior to patching.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework RAG AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0085.000 - RAG Databases

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - AI system access control

NIST AI RMF

MS-2.5 - Manage: AI Risk Treatment

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-3046?

LlamaIndex's ObsidianReader blindly follows symlinks without path validation, letting anyone who can write to a vault directory read arbitrary host files during document ingestion. Patch to llama-index-readers-obsidian 0.5.1 immediately. This is especially dangerous in RAG pipelines where vault content is untrusted, shared, or synced from external sources.

Is CVE-2025-3046 actively exploited?

No confirmed active exploitation of CVE-2025-3046 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-3046?

1. Upgrade llama-index-readers-obsidian to >= 0.5.1 immediately. 2. Audit vault directories for unexpected symlinks: `find <vault_dir> -type l`. 3. Run ingestion processes in containers or chrooted environments with filesystem access limited to the vault path. 4. If immediate upgrade is blocked, pre-scan vault contents by resolving all symlink targets and rejecting paths outside the vault root before invoking ObsidianReader. 5. Review existing vector store contents for anomalous data (credentials, config fragments) that may have been ingested prior to patching.

What systems are affected by CVE-2025-3046?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, knowledge base loaders, agent frameworks.

What is the CVSS score for CVE-2025-3046?

CVE-2025-3046 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.56%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesdocument ingestion pipelinesknowledge base loadersagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.1.2

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

A vulnerability in the `ObsidianReader` class in LlamaIndex Readers Integration: Obsidian before version 0.5.1 from the run-llama/llama_index repository (versions 0.12.23 to 0.12.28) allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

Exploitation Scenario

An attacker with write access to an Obsidian vault — via a compromised sync service (e.g., iCloud Drive, Git repo), shared network folder, or insider — places a symlink: `vault/notes.md -> /home/appuser/.env`. When the LlamaIndex ingestion job runs, ObsidianReader processes the symlink as a valid Markdown file and loads the .env contents into the RAG vector store. A downstream query such as 'list API keys in use' surfaces the credentials via normal LLM response. The attacker never touches the application directly — vault write access is the only requirement.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.