Description

LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.

INFO

Published Date :

2025-05-28T09:34:10.993Z

Last Modified :

2025-05-28T13:25:50.026Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2025-1753 vulnerability.

Vendors Products
Llamaindex
  • Llamaindex
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-1753.

URL Resource
https://github.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d cve-icon cve-icon cve-icon
https://huntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-1753 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-1753 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact