Strix
26.1K

CVE-2025-3046

UnknownEPSS 0.56%

Last modified

CVE-2025-3046 is a vulnerability of currently unknown severity. A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. EPSS estimates a 0.56% chance of exploitation in the next 30 days.

Description

A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

Metrics

EPSS Probability
0.56%

42.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LlamaindexLlamaindex>= 0.12.23, < 0.12.28

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-3046?
A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.
How severe is CVE-2025-3046?
Severity scoring for CVE-2025-3046 is pending analysis. The EPSS model estimates a 0.56% probability of exploitation in the next 30 days.
How do I fix CVE-2025-3046?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-3046?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST