CVE-2025-3046 – This vulnerability allows attackers to read arb... (How to Fix)

Q: What is the severity of CVE-2025-3046?

CVE-2025-3046 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to read arbitrary files on systems using the affected llama_index library by exploiting symbolic link handling in the ObsidianReader class. Users of run-llama/llama_index versions 0.12.23 through 0.12.28 who process Obsidian vaults are affected. The flaw enables unauthorized access to sensitive files outside the intended directory structure.

📋 TL;DR

This vulnerability allows attackers to read arbitrary files on systems using the affected llama_index library by exploiting symbolic link handling in the ObsidianReader class. Users of run-llama/llama_index versions 0.12.23 through 0.12.28 who process Obsidian vaults are affected. The flaw enables unauthorized access to sensitive files outside the intended directory structure.

💻 Affected Systems

Products:

run-llama/llama_index

Versions: 0.12.23 to 0.12.28

Operating Systems: All operating systems supporting symbolic links (Linux, macOS, Windows)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the ObsidianReader class to process Obsidian vaults. The vulnerability is present in default configurations when processing vaults containing symbolic links.

📦 What is this software?

Llamaindex by Llamaindex

View all CVEs affecting Llamaindex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive files like SSH keys, configuration files, or credentials, potentially leading to privilege escalation or lateral movement.

🟠

Likely Case

Unauthorized access to sensitive application data, configuration files, or user documents stored on the same filesystem as the vulnerable application.

🟢

If Mitigated

Limited to reading files accessible by the application's user account, but still exposing sensitive data that should be protected.

🌐 Internet-Facing: MEDIUM - Exploitation requires the application to process user-controlled Obsidian vaults, which is less common in internet-facing scenarios but possible in certain configurations.

🏢 Internal Only: HIGH - Internal applications processing Obsidian vaults from multiple users or sources are particularly vulnerable to this attack.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to create or modify Obsidian vault files that the application processes. The vulnerability is well-documented with public proof-of-concept available through the huntr.com bounty reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.29 and later

Vendor Advisory: https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e

Restart Required: No

Instructions:

1. Update llama_index to version 0.12.29 or later using pip: 'pip install --upgrade llama-index>=0.12.29' 2. Verify the update completed successfully. 3. No application restart is required as this is a library update.

🔧 Temporary Workarounds

Disable ObsidianReader processing

all

Temporarily disable or remove the ObsidianReader functionality from your application until patching is possible.

Validate vault directories

all

Implement pre-processing validation to check for symbolic links in Obsidian vault directories before passing them to ObsidianReader.

# Python example to check for symlinks
import os
for root, dirs, files in os.walk(vault_path):
    for name in dirs + files:
        path = os.path.join(root, name)
        if os.path.islink(path):
            raise ValueError(f'Symbolic link detected: {path}')

🧯 If You Can't Patch

Restrict filesystem permissions for the application user to limit accessible files
Implement strict input validation and sanitization for Obsidian vault paths before processing

🔍 How to Verify

Check if Vulnerable:

Check your llama_index version: 'pip show llama-index' and verify if it's between 0.12.23 and 0.12.28 inclusive.

Check Version:

pip show llama-index | grep Version

Verify Fix Applied:

After updating, verify the version is 0.12.29 or higher: 'pip show llama-index | grep Version'

📡 Detection & Monitoring

Log Indicators:

Multiple file access errors or permission denied errors from the ObsidianReader
Unusual file access patterns to sensitive directories

Network Indicators:

N/A - This is a local file system vulnerability

SIEM Query:

source="application_logs" AND ("ObsidianReader" OR "llama_index") AND ("permission denied" OR "FileNotFoundError" OR "symlink")

📊 Metadata

CVE ID: CVE-2025-3046

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 0.09% exploit probability (25.7th percentile)

Published: July 7, 2025

Last Updated: July 30, 2025

🔗 References

https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e Patch
https://huntr.com/bounties/90a1f1b2-bb82-4d66-9fc1-856ed5f904da Exploit,Third Party Advisory
https://huntr.com/bounties/90a1f1b2-bb82-4d66-9fc1-856ed5f904da Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3046, you might also want to check these: