CVE-2025-7707

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions llama index version 0.12.33

Description The software sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, potentially leading to denial of service, data tampering, or privilege escalation. The issue stems from using a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

Recommendations Update to a newer version that contains a fix for this vulnerability.

Exploit

Fix

DoS

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-377

Related Identifiers

CVE-2025-7707

GHSA-RG9H-VX28-XXP5

Affected Products

Nltk

Llama Index

CVE-2025-7707

Weakness Enumeration

Related Identifiers

Affected Products

References · 12