Strix
26.1K

CVE-2025-7707

HIGHCVSS 7.8/10EPSS 0.17%

Last modified

CVE-2025-7707 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. EPSS estimates a 0.17% chance of exploitation in the next 30 days.

Description

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

Metrics

CVSS 3.1
7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.17%

6.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LlamaindexLlamaindex>= 0.12.33, < 0.13.0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-7707?
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.
How severe is CVE-2025-7707?
CVE-2025-7707 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.17% probability of exploitation in the next 30 days.
How do I fix CVE-2025-7707?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-7707?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST