CVE-2025-7707

Exploit

EPSS 0.17%
Veröffentlicht 13.10.2025 16:15:08
Zuletzt bearbeitet 21.10.2025 14:48:53
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

World-Writable NLTK Cache Directory Vulnerability in run-llama/llama_index

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Llamaindex ≫ Llamaindex Version >= 0.12.33 < 0.13.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.063

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@huntr.dev	7.1	1.8	5.2	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-377 Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4

Patch

https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-7707

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-7707

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-7707

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-7707