CVE-2025-6209
📋 TL;DR
A path traversal vulnerability in run-llama/llama_index versions 0.12.27 through 0.12.40 allows attackers to read arbitrary files on the server by manipulating the image_path input in the encode_image function. This affects any system using vulnerable versions of llama_index where the encode_image function processes untrusted input. The vulnerability enables access to sensitive system files outside the intended directory.
💻 Affected Systems
- run-llama/llama_index
📦 What is this software?
Llamaindex by Llamaindex
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, SSH keys, configuration files, or database credentials, potentially leading to privilege escalation and lateral movement.
Likely Case
Exfiltration of sensitive application data, configuration files, or user information stored on the server filesystem.
If Mitigated
Limited impact if proper input validation and file access controls are implemented, restricting the attack surface.
🎯 Exploit Status
Exploitation requires the encode_image function to be called with attacker-controlled input. The vulnerability is simple to exploit with basic path traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.12.41
Vendor Advisory: https://github.com/run-llama/llama_index/commit/cdeaab91a204d1c3527f177dac37390327aef274
Restart Required: No
Instructions:
1. Update llama_index to version 0.12.41 or later using pip: pip install --upgrade llama-index==0.12.41
2. Verify the update completed successfully
3. No restart required as this is a Python library update
🔧 Temporary Workarounds
Input Validation Wrapper
allImplement custom input validation to sanitize image_path inputs before passing to encode_image function
# Python code to validate image_path
import os
from pathlib import Path
def safe_encode_image(image_path):
# Resolve to absolute path and check if within allowed directory
abs_path = os.path.abspath(image_path)
allowed_dir = '/path/to/allowed/images'
if not abs_path.startswith(allowed_dir):
raise ValueError('Invalid image path')
# Call original encode_image with validated path
return encode_image(abs_path)
File Access Restriction
linuxRun application with restricted filesystem permissions using chroot, containers, or minimal privilege accounts
# Run with restricted user
sudo -u restricted_user python app.py
# Docker example with read-only filesystem except needed directories
docker run -v /allowed/images:/images:ro myapp
🧯 If You Can't Patch
- Implement strict input validation for all image_path parameters before passing to encode_image function
- Run the application with minimal filesystem permissions using containerization or restricted user accounts
🔍 How to Verify
Check if Vulnerable:
Check if llama_index version is between 0.12.27 and 0.12.40 inclusive, and if the application uses encode_image function with user-supplied inputCheck Version:
python -c "import llama_index; print(llama_index.__version__)"Verify Fix Applied:
Verify llama_index version is 0.12.41 or later and test that path traversal attempts are properly rejected📡 Detection & Monitoring
Log Indicators:
- Multiple failed file access attempts with path traversal patterns (../)
- Access to unexpected file paths from encode_image function calls
- Error logs showing permission denied for system files
Network Indicators:
- Unusual outbound data transfers following image processing requests
- Repeated requests with varying image_path parameters containing ../ sequences
SIEM Query:
source="application.logs" AND ("encode_image" AND ("..\\" OR "../" OR "%2e%2e%2f"))