Path Traversal Vulnerability in Run-Llama's Llama_Index Product

CVE-2025-6209

What is CVE-2025-6209?

CVE-2025-6209 is a path traversal vulnerability found in Run-Llama's Llama_Index product, specifically affecting versions 0.12.27 through 0.12.40. This vulnerability is located within the encode_image function in the generic_utils.py file. It allows attackers to exploit improper validation of file paths, enabling them to manipulate the image_path input. Consequently, they can read arbitrary files on the server, including sensitive files that can pose serious risks to organizational security. The ability to access files outside the defined directory structure could lead to exposure of critical data and system configuration files, making it crucial for users to upgrade to version 0.12.41, where this vulnerability is addressed.

Potential impact of CVE-2025-6209

1. Data Breach Risk: The vulnerability can enable unauthorized access to sensitive files on the server, potentially leading to significant data breaches that may expose confidential information or intellectual property.

2. System Compromise: By exploiting the path traversal vulnerability, an attacker could gain access to system files, which might allow them to perform further malicious actions, including deploying malware or establishing persistent access to the affected environments.

3. Compliance Violations: For organizations subject to regulatory standards governing data security and privacy, the exploitation of this vulnerability could lead to non-compliance. This may result in legal repercussions and financial penalties due to inadequate protection of sensitive information.

References