What is the CVSS score of EUVD-2025-20216?

EUVD-2025-20216 has a CVSS 3.0 base score of 7.5 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Llamaindex are affected by EUVD-2025-20216?

CVE-2025-3046 presents notable security risk, a path traversal vulnerability rated CVSS 7.5.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-20216?

Yes, a public proof-of-concept exploit is available for EUVD-2025-20216. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-20216?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Review file handling controls and restrict upload directories.

Llamaindex EUVD-2025-20216

| CVE-2025-3046 HIGH

Path Traversal (CWE-22)

2025-07-07 security@huntr.dev

GHSA-fmrf-6jv9-qjc7

Path Traversal Llamaindex Red Hat

7.5

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Red Hat

5.3 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 03:37 euvd

EUVD-2025-20216

Analysis Generated

Mar 16, 2026 - 03:37 vuln.today

Patch released

Mar 16, 2026 - 03:37 nvd

Patch available

PoC Detected

Jul 30, 2025 - 21:25 vuln.today

Public exploit code

CVE Published

Jul 07, 2025 - 10:15 nvd

HIGH 7.5

DescriptionCVE.org

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The ObsidianReader fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.

Analysis

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

A vendor patch is available — apply it immediately. Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

Vendor StatusVendor

EUVD-2025-20216 vulnerability details – vuln.today

Back

Llamaindex EUVD-2025-20216

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code