CVE Alert: CVE-2025-1753
Vulnerability Summary: CVE-2025-1753
LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `–files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.
Affected Endpoints:
No affected endpoints listed.
Published Date:
5/28/2025, 10:15:21 AM
🔥 CVSS Score:
Exploit Status:
Not ExploitedEPS Score: 0.00057 | Ranking EPS: 0.17975
References:
- https://github.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d
- https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
