CVE-2025-6210 — MEDIUM (CVSS 6.2) AI Security Vulnerability

Q: Is CVE-2025-6210 actively exploited?

No confirmed active exploitation of CVE-2025-6210 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-6210?

1. Patch: Upgrade llama-index-readers-obsidian to >= 0.5.2 — this is the only complete fix. 2. Workaround (if patching delayed): Run the ObsidianReader process in a container or chroot with a read-only bind mount of only the vault directory; deny access to /etc, /root, /home, and secret mount paths. 3. Principle of least privilege: Ensure all LLM data ingestion processes run as non-root with minimal filesystem permissions. 4. Detection: Audit inode-level file access logs (auditd, eBPF) during load_data() calls for reads outside the declared vault path. 5. Inventory: Search your codebase and dependency trees for imports of llama-index-readers-obsidian < 0.5.2.

Q: What systems are affected by CVE-2025-6210?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks.

Q: What is the CVSS score for CVE-2025-6210?

CVE-2025-6210 has a CVSS v3.1 base score of 6.2 (MEDIUM). The EPSS exploitation probability is 0.14%.

CISO Take

Upgrade llama-index-readers-obsidian to 0.5.2 now if any pipeline ingests Obsidian vault data into an LLM or RAG system. In environments where untrusted users can write to the vault directory — shared knowledge bases, synced team folders, or multi-tenant setups — an attacker can plant a hardlink to /etc/passwd or SSH keys and have them silently read into LLM context. Isolated single-user deployments are low risk; shared pipelines are not.

Risk Assessment

CVSS 6.2 medium with local attack vector and no privileges required. EPSS 0.00046 indicates negligible active exploitation. Risk is context-dependent: low in isolated single-user environments, elevated in shared or multi-tenant RAG pipelines where the vault input directory is attacker-influenced. The confidentiality-only impact and local-only vector constrain blast radius, but containerized AI workloads running as root amplify exposure significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index-readers-obsidian	pip	< 0.5.2	`0.5.2`
49.1K 229 dependents Pushed 8d ago 87% patched ~50d to patch Full package profile →

Do you use llama-index-readers-obsidian? You're affected.

Severity & Risk

CVSS 3.1

6.2 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

Patch: Upgrade llama-index-readers-obsidian to >= 0.5.2 — this is the only complete fix.
Workaround (if patching delayed): Run the ObsidianReader process in a container or chroot with a read-only bind mount of only the vault directory; deny access to /etc, /root, /home, and secret mount paths.
Principle of least privilege: Ensure all LLM data ingestion processes run as non-root with minimal filesystem permissions.
Detection: Audit inode-level file access logs (auditd, eBPF) during load_data() calls for reads outside the declared vault path.
Inventory: Search your codebase and dependency trees for imports of llama-index-readers-obsidian < 0.5.2.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Supply Chain Framework RAG AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system data management

NIST AI RMF

MANAGE 2.2 - Mechanisms for managing risks from third-party entities

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-6210?

Upgrade llama-index-readers-obsidian to 0.5.2 now if any pipeline ingests Obsidian vault data into an LLM or RAG system. In environments where untrusted users can write to the vault directory — shared knowledge bases, synced team folders, or multi-tenant setups — an attacker can plant a hardlink to /etc/passwd or SSH keys and have them silently read into LLM context. Isolated single-user deployments are low risk; shared pipelines are not.

Is CVE-2025-6210 actively exploited?

No confirmed active exploitation of CVE-2025-6210 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-6210?

1. Patch: Upgrade llama-index-readers-obsidian to >= 0.5.2 — this is the only complete fix. 2. Workaround (if patching delayed): Run the ObsidianReader process in a container or chroot with a read-only bind mount of only the vault directory; deny access to /etc, /root, /home, and secret mount paths. 3. Principle of least privilege: Ensure all LLM data ingestion processes run as non-root with minimal filesystem permissions. 4. Detection: Audit inode-level file access logs (auditd, eBPF) during load_data() calls for reads outside the declared vault path. 5. Inventory: Search your codebase and dependency trees for imports of llama-index-readers-obsidian < 0.5.2.

What systems are affected by CVE-2025-6210?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks.

What is the CVSS score for CVE-2025-6210?

CVE-2025-6210 has a CVSS v3.1 base score of 6.2 (MEDIUM). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, before version 0.5.2 (specifically in version 0.12.27 of llama-index), allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in llama-index-readers-obsidian version 0.5.2.

Exploitation Scenario

A threat actor with write access to a shared Obsidian vault being continuously ingested by a llama-index RAG pipeline — common in team knowledge management setups — creates a hardlink inside the vault: ln /etc/passwd vault_dir/notes/system-info.md. On the next scheduled load_data() run, ObsidianReader follows the hardlink without detecting it is outside the vault boundary and ingests /etc/passwd into the LLM context. If the pipeline stores embeddings, logs LLM context, or surfaces retrieved chunks to users via a chatbot interface, the file contents are exposed. The same technique applies to /run/secrets/api_key, ~/.aws/credentials, or any file the pipeline process can read.