Home > Vulnerability Database > CVE-2025-10854

Mend.io Vulnerability Database

CVE-2025-10854

Good to know:

Date: September 22, 2025

The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices

Severity Score

8.1

Related Resources (4)

Url: https://github.com/neuml/txtai/issues/965

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-10854

Url: https://research.jfrog.com/vulnerabilities/txtai-arbitrary-file-write-jfsa-2025-001471363/

Url: https://www.mend.io/vulnerability-database/CVE-2025-10854

Severity Score

8.1

Weakness Type (CWE)

UNIX Symbolic Link (Symlink) Following

CWE-61

Top Fix

Upgrade Version

Upgrade to version txtai - 9.0.1;txtai - 9.0.1

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-10854

Good to know:

Date: September 22, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?