CVE-2025-6209: CWE-29 Path Traversal: '\..\filename' in run-llama run-llama/llama_index
A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.
CVE-2025-6209: CWE-29 Path Traversal: '\..\filename' in run-llama run-llama/llama_index
Description
A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2025-06-17T17:33:02.165Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 686bbff86f40f0eb72e88b8b
Added to database: 7/7/2025, 12:39:20 PM
Last updated: 7/7/2025, 12:39:20 PM
Views: 1
Related Threats
CVE-2025-7127: SQL Injection in itsourcecode Employee Management System
MediumCVE-2025-7126: SQL Injection in itsourcecode Employee Management System
MediumCVE-2025-7125: SQL Injection in itsourcecode Employee Management System
MediumCVE-2025-7124: Unrestricted Upload in code-projects Online Note Sharing
MediumCVE-2025-6386: CWE-203 Observable Discrepancy in parisneo parisneo/lollms
HighActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.