Path Traversal Vulnerability in Run-Llama Product by Run-Llama

CVE-2025-6210

What is CVE-2025-6210?

CVE-2025-6210 is a significant vulnerability identified in the Run-Llama product, specifically impacting the ObsidianReader class within the run-llama/llama_index repository, version 0.12.27. This vulnerability arises from a hardlink-based path traversal flaw that allows unauthorized access to sensitive system files, such as /etc/passwd. Attackers can exploit this weakness due to inadequate handling of hardlinks in the load_data() method, essentially allowing them to bypass established path restrictions. The vulnerability underscores a serious security oversight, as it facilitates unauthorized file access which could lead to severe consequences for organizations by potentially compromising sensitive data and underlying operating system security.

Potential impact of CVE-2025-6210

1. Unauthorized Access to Sensitive Files: The vulnerability enables attackers to access critical system files, including system passwords and configurations, thereby compromising the integrity and confidentiality of the system.

2. Increased Risk of System Compromise: By exploiting this vulnerability, adversaries could gain escalated privileges within the affected systems, leading to broader security breaches, including data theft or additional malware deployment.

3. Reputational Damage and Financial Loss: Organizations affected by this vulnerability could face significant reputational harm, regulatory fines, and financial losses associated with incident response, remediation, and potential legal claims resulting from data breaches.

References