- Description
- A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.
- Source
- security@huntr.dev
- NVD status
- Awaiting Analysis
CVSS 3.0
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security@huntr.dev
- CWE-29
- Hype score
- Not currently trending
I'm excited to share that CVE-2025-6209 has been assigned to a vulnerability I discovered in @llama_index - an unauthenticated arbitrary file read via path traversal, triggered through the ImageDocument class. 💰 Bounty awarded: $750 📄 Disclosure: https://t.co/K9kpIihmvL h
@0xManan
7 Jul 2025
571 Impressions
2 Retweets
14 Likes
5 Bookmarks
4 Replies
0 Quotes
CVE-2025-6209 A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. … https://t.co/ZvAeHyShtz
@CVEnew
7 Jul 2025
376 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes