GHSA-3j8r-jf9w-5cmh

Source

https://github.com/advisories/GHSA-3j8r-jf9w-5cmh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-3j8r-jf9w-5cmh/GHSA-3j8r-jf9w-5cmh.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3j8r-jf9w-5cmh

Aliases

CVE-2025-6210

Published

2025-07-07T12:30:23Z

Modified

2025-07-08T18:42:18.800114Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

LlamaIndex vulnerability in its ObsidianReader class can lead to Path Traversal exploit

Details

A vulnerability in the ObsidianReader class of the run-llama/llamaindex repository, before version 0.5.2 (specifically in version 0.12.27 of llama-index), allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the loaddata() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in llama-index-readers-obsidian version 0.5.2.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T18:15:37Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": "2025-07-07T10:15:29Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / llama-index-readers-obsidian

Package

Name: llama-index-readers-obsidian; View open source insights on deps.dev
Purl: pkg:pypi/llama-index-readers-obsidian

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.2

Affected versions

0.*

0.0.1

0.1.0

0.1.1

0.1.2

0.1.3

0.2.0

0.3.0

0.4.0

0.5.0

0.5.1