2403577 – (CVE-2025-7707) CVE-2025-7707 llama-index: World-Writable Cache Directory Vulnerability in llama_index

Bug 2403577 (CVE-2025-7707) - CVE-2025-7707 llama-index: World-Writable Cache Directory Vulnerability in llama_index

Summary: CVE-2025-7707 llama-index: World-Writable Cache Directory Vulnerability in ll...

Keywords:
Status:	NEW
Alias:	CVE-2025-7707
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-13 17:01 UTC by OSIDB Bzimport
Modified:	2025-10-13 20:04 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-13 17:01:28 UTC

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

Note You need to log in before you can comment on or make changes to this bug.