What is the CVSS score of EUVD-2025-20210?

EUVD-2025-20210 has a CVSS 3.0 base score of 6.2 (Medium). CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Llamaindex are affected by EUVD-2025-20210?

CVE-2025-6210 presents moderate security risk, a path traversal vulnerability rated CVSS 6.2. This could allow unauthorized file access. Proof-of-concept code is publicly available.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-20210?

Yes, a public proof-of-concept exploit is available for EUVD-2025-20210. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2025-20210?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.

Llamaindex EUVD-2025-20210

| CVE-2025-6210 MEDIUM

Path Traversal (CWE-22)

2025-07-07 security@huntr.dev

GHSA-3j8r-jf9w-5cmh

Path Traversal Llamaindex D-Link Red Hat

6.2

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

6.2 MEDIUM

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Red Hat

4.0 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 03:37 euvd

EUVD-2025-20210

Analysis Generated

Mar 16, 2026 - 03:37 vuln.today

Patch released

Mar 16, 2026 - 03:37 nvd

Patch available

PoC Detected

Jul 30, 2025 - 20:01 vuln.today

Public exploit code

CVE Published

Jul 07, 2025 - 10:15 nvd

MEDIUM 6.2

DescriptionCVE.org

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in version 0.5.2.

Analysis

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

A vendor patch is available — apply it immediately. Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

Vendor StatusVendor

EUVD-2025-20210 vulnerability details – vuln.today

Back

Llamaindex EUVD-2025-20210

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code