AI Threat Alert

CVE-2025-6209

GHSA-2rhq-96q8-4vjq HIGH
Published July 7, 2025

A path traversal vulnerability exists in run-llama/llama_index versions 0.11.23 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llama-index-core pip >= 0.11.23, < 0.12.41 0.12.41

Do you use llama-index-core? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A

Recommended Action

Patch available

Update llama-index-core to version 0.12.41

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

A path traversal vulnerability exists in run-llama/llama_index versions 0.11.23 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

Weaknesses (CWE)

CWE-29 Path Traversal: '..filename' Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
July 7, 2025
Last Modified
July 8, 2025
First Seen
March 24, 2026
Back to Threat Feed