CVE-2025-7707

HIGH

Llama_index 0.12.33 - Info Disclosure

Title source: llm

Description

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

References (2)

[Patch] https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4

[Exploit, Third Party Advisory] https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 6.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-377

Status published

Products (2)

llamaindex/llamaindex 0.12.33 - 0.13.0

pypi/llama-index 0 - 0.13.0PyPI

Published Oct 13, 2025

Tracked Since Feb 18, 2026