Home > Vulnerability Database > CVE-2025-1753

Mend.io Vulnerability Database

CVE-2025-1753

Good to know:

Date: May 28, 2025

LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the "--files" argument, which is directly passed into "os.system". An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.

Severity Score

7.8

Related Resources (5)

Url: https://github.com/run-llama/llama_index

Url: https://github.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d

Url: https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-1753

Url: https://www.mend.io/vulnerability-database/CVE-2025-1753

Severity Score

7.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version llama-index - 0.12.21;llama-index - 0.12.21;llama-index-cli - 0.4.1;https://github.com/run-llama/llama_index.git - v0.12.21

Learn More

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-1753

Good to know:

Date: May 28, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?