Vulnerability Description
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Llamaindex | Llamaindex | >= 0.12.33, < 0.13.0 |
Related Weaknesses (CWE)
References
- https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69Patch
- https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803ExploitThird Party Advisory
FAQ
What is CVE-2025-7707?
CVE-2025-7707 is a vulnerability with a CVSS score of 7.8 (HIGH). The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local u...
How severe is CVE-2025-7707?
CVE-2025-7707 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-7707?
Check the references section above for vendor advisories and patch information. Affected products include: Llamaindex Llamaindex.