Home > Vulnerability Database > CVE-2025-3046

Mend.io Vulnerability Database

CVE-2025-3046

Good to know:

Date: July 7, 2025

A vulnerability in the "ObsidianReader" class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The "ObsidianReader" fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

Severity Score

7.5

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-3046

Url: https://github.com/run-llama/llama_index

Url: https://github.com/run-llama/llama_index/commit/266eb3b3a61f158112726d75a5f5f0b90e34ded0

Url: https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e

Url: https://github.com/run-llama/llama_index/pull/18320

Url: https://huntr.com/bounties/90a1f1b2-bb82-4d66-9fc1-856ed5f904da

Url: https://www.mend.io/vulnerability-database/CVE-2025-3046

Severity Score

7.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version llama-index-readers-obsidian - 0.5.1;https://github.com/run-llama/llama_index.git - v0.12.28

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-3046

Good to know:

Date: July 7, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?