Bug 2399917 (CVE-2025-7647)
| Summary: | CVE-2025-7647 llama-index-core: Insecure Temporary File Handling in run-llama/llama_index | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | anpicker, bparees, haoli, hasun, hkataria, jajackso, jcammara, jfula, jmitchel, jneedle, jowilson, jwong, kegrant, koliveir, kshier, mabashia, nyancey, ometelka, pbraun, ptisnovs, shvarugh, simaishi, smcdonal, stcannon, syedriko, teagle, tfister, thavo, ttakamiy, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in llama-index-core where the get_cache_dir() function creates a hardcoded /tmp/llamda_index directory without secure permissions or user isolation. On Linux systems with multiple users, this allows attackers to steal cached models, poison embeddings, or perform symlink attacks leading to information disclosure or data corruption.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-09-27 17:01:15 UTC
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2025:18984 https://access.redhat.com/errata/RHSA-2025:18984 |