Arbitrary File Write Vulnerability in txtai Framework by Neuml
CVE-2025-10854

8.1HIGH

Key Information:

Status
Vendor: CVE Published:; 22 September 2025

What is CVE-2025-10854?

The txtai framework, known for its efficient handling of embedding indices, suffers from a vulnerability that allows arbitrary file writing. Although the validate function aims to protect against path traversal vulnerabilities by checking for safe filenames, it fails to adequately address symbolic links within compressed tar files. This oversight can be exploited by an attacker to write files to any location in the filesystem when untrusted embedding indices are loaded. Users of txtai are advised to review the associated security implications and apply necessary patches.

References

https://github.com/neuml/txtai/issues/965

patch

https://research.jfrog.com/vulnerabilities/txtai-arbitrar...

third-party-advisory

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
Sep 22, 2025