CVE-2025-7647 is a high-severity vulnerability affecting the run-llama project's llama-index-core package, specifically versions up to 0.12.44. The vulnerability arises from the insecure handling of temporary files in the get_cache_dir() function on Linux systems. The function uses a hardcoded and predictable directory path, /tmp/llama_index, to store cached data without implementing proper security controls such as restrictive permissions or unique directory names. This insecure temporary file creation is classified under CWE-378 (Creation of Temporary File With Insecure Permissions), CWE-377 (Insecure Temporary File), and CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition), indicating the risk of race conditions and symlink attacks. On multi-user Linux systems, an attacker with limited privileges can exploit this vulnerability by accessing or manipulating the shared /tmp/llama_index directory. Potential attack vectors include stealing proprietary machine learning models stored in the cache, poisoning cached embeddings to influence model behavior, or creating symbolic links to redirect file operations, potentially leading to privilege escalation or data corruption. The vulnerability requires local access with low privileges (PR:L) but no user interaction (UI:N) and has a CVSS 3.0 score of 7.3, reflecting high confidentiality and integrity impact with low availability impact. No known exploits are currently reported in the wild, but the predictable nature of the temporary directory and the common use of shared Linux environments make exploitation feasible in certain contexts.

For European organizations, especially those deploying run-llama/llama_index on shared Linux servers or multi-tenant environments, this vulnerability poses significant risks. Confidentiality is at high risk as attackers could exfiltrate proprietary AI models or sensitive cached data, potentially exposing intellectual property or sensitive analytics. Integrity is also highly impacted since attackers can poison cached embeddings, leading to corrupted or manipulated AI outputs, which can affect decision-making processes or automated workflows. Availability impact is low but possible if attackers disrupt cache operations. Organizations in sectors relying heavily on AI/ML models—such as finance, healthcare, manufacturing, and research institutions—may face operational and reputational damage if their models are compromised. The vulnerability is particularly concerning in environments where multiple users share the same Linux system, such as cloud-hosted platforms, research clusters, or development servers common in European tech ecosystems.

To mitigate CVE-2025-7647, organizations should first upgrade to a patched version of the llama-index-core package once available. Until then, administrators should implement strict access controls on the /tmp/llama_index directory by setting restrictive permissions (e.g., chmod 700) and ensuring it is owned by the application user to prevent unauthorized access. Employing unique, unpredictable temporary directory names per user or process can reduce the risk of symlink attacks. Running the application in isolated environments such as containers or dedicated virtual machines can limit multi-user exposure. Additionally, monitoring file system changes and access to /tmp/llama_index can help detect suspicious activity. Incorporating mandatory access control (MAC) systems like SELinux or AppArmor to restrict file operations on temporary directories can further harden the environment. Finally, educating developers to avoid hardcoded temporary paths and to use secure temporary file APIs (e.g., mkdtemp) will prevent recurrence.