Home > Vulnerability Database > CVE-2025-6209

Mend.io Vulnerability Database

CVE-2025-6209

Good to know:

Date: July 7, 2025

A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the "encode_image" function in "generic_utils.py". This vulnerability allows an attacker to manipulate the "image_path" input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

Severity Score

7.5

Related Resources (6)

Url: https://github.com/run-llama/llama_index

Url: https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-65.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-6209

Url: https://github.com/run-llama/llama_index/commit/cdeaab91a204d1c3527f177dac37390327aef274

Url: https://huntr.com/bounties/e89d14f8-bfe8-4c9a-bb2a-656c01cc9a68

Url: https://www.mend.io/vulnerability-database/CVE-2025-6209

Severity Score

7.5

Weakness Type (CWE)

Path Traversal: '..filename'

CWE-29

Top Fix

Upgrade Version

Upgrade to version llama-index-core - 0.12.41;llama-index-core - 0.12.41;llama-index-core - 0.12.41;llama-index - 0.12.41;llama-index - 0.12.41;https://github.com/run-llama/llama_index.git - v0.12.41

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-6209

Good to know:

Date: July 7, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?