2368930 – (CVE-2025-1753) CVE-2025-1753 llama-index: Command Injection in LLama-Index CLI in run-llama/llama_index

Bug 2368930 (CVE-2025-1753) - CVE-2025-1753 llama-index: Command Injection in LLama-Index CLI in run-llama/llama_index

Summary: CVE-2025-1753 llama-index: Command Injection in LLama-Index CLI in run-llama/...

Keywords:
Status:	NEW
Alias:	CVE-2025-1753
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-28 10:01 UTC by OSIDB Bzimport
Modified:	2025-06-17 08:27 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-28 10:01:09 UTC

LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.

Note You need to log in before you can comment on or make changes to this bug.

anpicker
bparees
haoli
hasun
hkataria
jajackso
jcammara
jfula
jmitchel
jneedle
jowilson
jwong
kegrant
koliveir
kshier
mabashia
nyancey
ometelka
pbraun
ptisnovs
shvarugh
simaishi
smcdonal
stcannon
syedriko
teagle
tfister
thavo
ttakamiy
xdharmai
yguenane