CVE-2025-6209

Name of the Vulnerable Software and Affected Versions: run-llama/llama index versions 0.12.27 through 0.12.40

Description: A path traversal vulnerability exists, specifically within the encode image function in generic utils.py, allowing an attacker to manipulate the image path input to read arbitrary files on the server, including sensitive system files. This issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory.

Recommendations: For run-llama/llama index versions 0.12.27 through 0.12.40, update to version 0.12.41 to resolve the issue. As a temporary workaround, consider restricting access to the encode image function in generic utils.py to minimize the risk of exploitation. Avoid using the image path input in the affected function until the issue is resolved.