Local Data Tampering Vulnerability in Llama Index Library by Llama Inc.
CVE-2025-7707

7.1HIGH

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 13 October 2025

What is CVE-2025-7707?

The Llama Index Library version 0.12.33 contains a vulnerability that unintentionally sets the NLTK data directory to a world-writable subdirectory of the codebase. This misconfiguration permits local users in multi-user environments to overwrite, delete, or corrupt NLTK data files, posing risks such as denial of service, data tampering, or privilege escalation. The use of a shared cache directory rather than a user-specific one increases the likelihood of malicious data manipulation and threatens the integrity and functionality of the application.

Affected Version(s)

run-llama/llama_index < unspecified

References

https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818...

https://github.com/run-llama/llama_index/commit/98816394d...

CVSS V3.0

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 13, 2025
Vulnerability Reserved
Jul 16, 2025

JSON

Run-llama

What is CVE-2025-7707?

Affected Version(s)

References

CVSS V3.0

Timeline