CVE-2025-6210: LlamaIndex llama-index Obsidian

Q: Is CVE-2025-6210 actively exploited?

No confirmed active exploitation of CVE-2025-6210 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-6210?

1. Patch: Upgrade llama-index-readers-obsidian to >= 0.5.2 — this is the only complete fix. 2. Workaround (if patching delayed): Run the ObsidianReader process in a container or chroot with a read-only bind mount of only the vault directory; deny access to /etc, /root, /home, and secret mount paths. 3. Principle of least privilege: Ensure all LLM data ingestion processes run as non-root with minimal filesystem permissions. 4. Detection: Audit inode-level file access logs (auditd, eBPF) during load_data() calls for reads outside the declared vault path. 5. Inventory: Search your codebase and dependency trees for imports of llama-index-readers-obsidian < 0.5.2.

Q: What systems are affected by CVE-2025-6210?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks.

Q: What is the CVSS score for CVE-2025-6210?

CVE-2025-6210 has a CVSS v3.1 base score of 6.2 (MEDIUM). The EPSS exploitation probability is 0.29%.

CISO Take

Upgrade llama-index-readers-obsidian to 0.5.2 now if any pipeline ingests Obsidian vault data into an LLM or RAG system. In environments where untrusted users can write to the vault directory — shared knowledge bases, synced team folders, or multi-tenant setups — an attacker can plant a hardlink to /etc/passwd or SSH keys and have them silently read into LLM context. Isolated single-user deployments are low risk; shared pipelines are not.

What is the risk?

CVSS 6.2 medium with local attack vector and no privileges required. EPSS 0.00046 indicates negligible active exploitation. Risk is context-dependent: low in isolated single-user environments, elevated in shared or multi-tenant RAG pipelines where the vault input directory is attacker-influenced. The confidentiality-only impact and local-only vector constrain blast radius, but containerized AI workloads running as root amplify exposure significantly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LlamaIndex	pip	< 0.5.2	`0.5.2`
50.2K 238 dependents Pushed 3d ago 87% patched ~50d to patch Full package profile →

Do you use LlamaIndex? You're affected.

How severe is it?

CVSS 3.1

6.2 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch: Upgrade llama-index-readers-obsidian to >= 0.5.2 — this is the only complete fix.
Workaround (if patching delayed): Run the ObsidianReader process in a container or chroot with a read-only bind mount of only the vault directory; deny access to /etc, /root, /home, and secret mount paths.
Principle of least privilege: Ensure all LLM data ingestion processes run as non-root with minimal filesystem permissions.
Detection: Audit inode-level file access logs (auditd, eBPF) during load_data() calls for reads outside the declared vault path.
Inventory: Search your codebase and dependency trees for imports of llama-index-readers-obsidian < 0.5.2.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Supply Chain Framework RAG AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system data management

NIST AI RMF

MANAGE 2.2 - Mechanisms for managing risks from third-party entities

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-6210?

Upgrade llama-index-readers-obsidian to 0.5.2 now if any pipeline ingests Obsidian vault data into an LLM or RAG system. In environments where untrusted users can write to the vault directory — shared knowledge bases, synced team folders, or multi-tenant setups — an attacker can plant a hardlink to /etc/passwd or SSH keys and have them silently read into LLM context. Isolated single-user deployments are low risk; shared pipelines are not.

Is CVE-2025-6210 actively exploited?

No confirmed active exploitation of CVE-2025-6210 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-6210?

1. Patch: Upgrade llama-index-readers-obsidian to >= 0.5.2 — this is the only complete fix. 2. Workaround (if patching delayed): Run the ObsidianReader process in a container or chroot with a read-only bind mount of only the vault directory; deny access to /etc, /root, /home, and secret mount paths. 3. Principle of least privilege: Ensure all LLM data ingestion processes run as non-root with minimal filesystem permissions. 4. Detection: Audit inode-level file access logs (auditd, eBPF) during load_data() calls for reads outside the declared vault path. 5. Inventory: Search your codebase and dependency trees for imports of llama-index-readers-obsidian < 0.5.2.

What systems are affected by CVE-2025-6210?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks.

What is the CVSS score for CVE-2025-6210?

CVE-2025-6210 has a CVSS v3.1 base score of 6.2 (MEDIUM). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesdocument ingestion pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02:2025, LLM03:2025

What are the technical details?

Original Advisory

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, before version 0.5.2 (specifically in version 0.12.27 of llama-index), allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in llama-index-readers-obsidian version 0.5.2.

Exploitation Scenario

A threat actor with write access to a shared Obsidian vault being continuously ingested by a llama-index RAG pipeline — common in team knowledge management setups — creates a hardlink inside the vault: ln /etc/passwd vault_dir/notes/system-info.md. On the next scheduled load_data() run, ObsidianReader follows the hardlink without detecting it is outside the vault boundary and ingests /etc/passwd into the LLM context. If the pipeline stores embeddings, logs LLM context, or surfaces retrieved chunks to users via a chatbot interface, the file contents are exposed. The same technique applies to /run/secrets/api_key, ~/.aws/credentials, or any file the pipeline process can read.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.