CVE-2025-7647

NONE EPSS 3.3%
Published Sep 27, 20259mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Sep 27, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded directory path `/tmp/llama_index` is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct symlink attacks. The issue affects all Linux deployments where multiple users share the same system. The vulnerability is classified under CWE-379, CWE-377, and CWE-367, indicating insecure temporary file creation and potential race conditions.

Threat Intelligence

EPSS Exploit Probability
3.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-378

References 2

  • github.com https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4
  • huntr.com https://huntr.com/bounties/a2baa08f-98bf-47a8-ac83-06f7411afd9e

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.