cbcvebase.
CVE-2025-6209
published 2025-07-07

CVE-2025-6209: A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in…

PriorityP350high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
0.55%
41.6th percentile
A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

Affected

2 ranges
VendorProductVersion rangeFixed in
llamaindexllamaindex>= 0.12.27 < 0.12.410.12.41
run-llamarun-llama_llama_index>= unspecified < 0.12.410.12.41

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.