CVE-2025-7707
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-21
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| llamaindex | llamaindex | From 0.12.33 (inc) to 0.13.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-377 | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in llama_index version 0.12.33 is due to the NLTK data directory being set to a world-writable subdirectory of the codebase by default. This means that in multi-user environments, local users can overwrite, delete, or corrupt NLTK data files. The root cause is the use of a shared cache directory instead of a user-specific one, which allows local data tampering and denial of service.
How can this vulnerability impact me? :
This vulnerability can allow local users to perform denial of service by deleting or corrupting NLTK data files, tamper with data by overwriting files, or potentially escalate their privileges by exploiting the writable shared cache directory.