CVE-2025-6209 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

CVE-2025-6209 is a no-authentication, network-exploitable path traversal in llama_index's image processing component that lets attackers read any file the process can access — including .env files, API keys, and SSH credentials. Any llama_index deployment accepting user-controlled image paths is exposed. Patch to 0.12.41 immediately and rotate all secrets accessible from the service process.

Risk Assessment

CVSS 7.5 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable over the network with zero authentication or user interaction. EPSS is low (0.0013), indicating limited active exploitation today, but the attack is elementary — a one-line curl command — and the payoff is high: API keys, database credentials, and LLM provider tokens stored in .env files. LlamaIndex is deployed in thousands of production RAG and agent systems, making the aggregate exposure significant even if per-instance probability remains low.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index-core	pip	>= 0.11.23, < 0.12.41	`0.12.41`
49.1K 1.1K dependents Pushed 8d ago 100% patched ~50d to patch Full package profile →

Do you use llama-index-core? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 63% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

PATCH

Upgrade llama-index-core to >= 0.12.41 — the only complete fix.
DETECT

Audit logs for path traversal patterns in image_path inputs (../, %2e%2e, %252e, absolute paths starting with /etc or /app).
WORKAROUND

If patching is delayed, reject any image_path containing traversal sequences or pointing outside a designated uploads directory before passing to encode_image.
ROTATE

Treat all API keys, database passwords, and secrets accessible from the llama_index process as potentially compromised; rotate proactively.
HARDEN

Run llama_index services in containers with read-only filesystems and a minimal bind-mounted secrets volume; apply least-privilege file permissions.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework RAG AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system design and development controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management are in place

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-6209?

CVE-2025-6209 is a no-authentication, network-exploitable path traversal in llama_index's image processing component that lets attackers read any file the process can access — including .env files, API keys, and SSH credentials. Any llama_index deployment accepting user-controlled image paths is exposed. Patch to 0.12.41 immediately and rotate all secrets accessible from the service process.

Is CVE-2025-6209 actively exploited?

No confirmed active exploitation of CVE-2025-6209 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-6209?

1. PATCH: Upgrade llama-index-core to >= 0.12.41 — the only complete fix. 2. DETECT: Audit logs for path traversal patterns in image_path inputs (../, %2e%2e, %252e, absolute paths starting with /etc or /app). 3. WORKAROUND: If patching is delayed, reject any image_path containing traversal sequences or pointing outside a designated uploads directory before passing to encode_image. 4. ROTATE: Treat all API keys, database passwords, and secrets accessible from the llama_index process as potentially compromised; rotate proactively. 5. HARDEN: Run llama_index services in containers with read-only filesystems and a minimal bind-mounted secrets volume; apply least-privilege file permissions.

What systems are affected by CVE-2025-6209?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, multimodal agent frameworks, document processing pipelines, model serving.

What is the CVSS score for CVE-2025-6209?

CVE-2025-6209 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.44%.

Technical Details

NVD Description

A path traversal vulnerability exists in run-llama/llama_index versions 0.11.23 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

Exploitation Scenario

An adversary identifies a production RAG application built on llama_index that exposes a document ingestion API. They craft a POST request with image_path set to '../../../../app/.env'. The encode_image function in generic_utils.py opens the file without any path validation, returning its raw contents in the response. The attacker extracts the OpenAI API key and Pinecone credentials, then queries the vector store directly to exfiltrate all indexed proprietary documents. Using the OpenAI key, they also access usage history to profile the organization's AI workloads and cost exposure.