7.8

CVE-2025-7707

Exploit

EPSS 0.04%
Veröffentlicht 13.10.2025 16:15:08
Zuletzt bearbeitet 21.10.2025 14:48:53
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Llamaindex ≫ Llamaindex Version >= 0.12.33 < 0.13.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.121

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@huntr.dev	7.1	1.8	5.2	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-377 Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4

Patch

https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-7707

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-7707

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-7707

EUVD