Insecure Temporary File Creation in Llama Index Core Package by Run Llama
CVE-2025-7647

7.3HIGH

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 27 September 2025

What is CVE-2025-7647?

The llama-index-core package suffers from a vulnerability in the get_cache_dir() function, which relies on a hardcoded directory path (/tmp/llama_index) on Linux systems without adequate security measures. This flaw permits attackers on multi-user systems to access sensitive proprietary models, compromise cached embeddings, or initiate symlink attacks. All Linux deployments that support multi-user environments are susceptible, classifying this issue under multiple CWEs that emphasize insecure temporary file management and possible race conditions.

Affected Version(s)

run-llama/llama_index < unspecified

References

https://huntr.com/bounties/a2baa08f-98bf-47a8-ac83-06f741...

https://github.com/run-llama/llama_index/commit/98816394d...

CVSS V3.0

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 27, 2025
Vulnerability Reserved
Jul 14, 2025

JSON

Run-llama

What is CVE-2025-7647?

Affected Version(s)

References

CVSS V3.0

Timeline