llama-index-core, Insecure Temporary File, CVE-2025-XXXX (High)

By /

Listen to this Post

The vulnerability exists within the `get_cache_dir()` function of the llama-index-core package, which insecurely uses a hardcoded, predictable directory path (/tmp/llama_index) on Linux systems. This function is responsible for determining the location where the package caches data, such as downloaded models and generated embeddings. Because the directory path is static and world-writable, any user on the same multi-user system can access, modify, or delete the contents of this cache. This design flaw enables several attack vectors. A local attacker can create a symbolic link (symlink) from the predictable `/tmp/llama_index` path to a critical file on the system. When the application with higher privileges subsequently writes to its cache, it may inadvertently overwrite or corrupt the targeted file. Furthermore, attackers can directly read cached proprietary models to steal intellectual property or poison the cached embeddings to manipulate the application’s output, leading to data integrity loss or other security breaches.
Platform: llama-index-core
Version: <= 0.12.44
Vulnerability: Insecure Temporary File
Severity: High

date: 2025-09-27

Prediction: Patch by 2025-10-11

What Undercode Say:

ls -la /tmp/llama_index
cat /tmp/llama_index/cache_file.json
ln -s /etc/passwd /tmp/llama_index/cache_poison

from llama_index.core import Settings
The vulnerable function call internally
cache_dir = Settings._get_cache_dir()

How Exploit:

Attacker creates symlink from `/tmp/llama_index` to a sensitive file like /etc/passwd. When the application writes its cache, it corrupts the target file. Alternatively, an attacker simply reads the cached model files from the predictable location.

Protection from this CVE

Update llama-index-core to a version beyond 0.12.44 once a patch is released. As an immediate workaround, set the `LLAMA_INDEX_CACHE_DIR` environment variable to a secure, user-specific, non-world-writable directory.

Impact:

Theft of proprietary AI models, poisoning of cached embeddings causing corrupted outputs, and potential file corruption on the system via symlink attacks leading to denial of service or privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top