CVE-2025-7647

CVSS v3.1

7.3

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions llama-index-core versions through 0.12.44

Description The software has an issue in the get cache dir() function due to the use of a predictable, hardcoded directory path /tmp/llama index on Linux systems without sufficient security measures. This could allow attackers on multi-user systems to steal proprietary models, compromise cached embeddings, or perform symlink attacks. The issue impacts all Linux deployments where multiple users share the same system. The vulnerability is related to insecure temporary file creation and potential race conditions.

Recommendations Versions prior to 0.12.44 should be updated.

Fix

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-377CWE-367CWE-378CWE-379

Related Identifiers

BDU:2025-13308

CVE-2025-7647

GHSA-CR7Q-2W66-HJCM

Affected Products

Llama-Index-Core

CVE-2025-7647

Weakness Enumeration

Related Identifiers

Affected Products

References · 11