Arbitrary File Write Vulnerability in txtai Framework by Neuml
CVE-2025-10854

8.1HIGH

Key Information:

Status
Vendor
CVE Published:
22 September 2025

What is CVE-2025-10854?

The txtai framework, known for its efficient handling of embedding indices, suffers from a vulnerability that allows arbitrary file writing. Although the validate function aims to protect against path traversal vulnerabilities by checking for safe filenames, it fails to adequately address symbolic links within compressed tar files. This oversight can be exploited by an attacker to write files to any location in the filesystem when untrusted embedding indices are loaded. Users of txtai are advised to review the associated security implications and apply necessary patches.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/neuml/txtai/issues/965
patch
https://research.jfrog.com/vulnerabilities/txtai-arbitrar...
third-party-advisory

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.