CVE-2025-6210 — LlamaIndex vulnerability in its ObsidianReader class can lead to Path Traversal

Description

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, before version 0.5.2 (specifically in version 0.12.27 of llama-index), allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in llama-index-readers-obsidian version 0.5.2.

How to fix CVE-2025-6210

To remediate CVE-2025-6210, upgrade the affected package to a fixed version below.

—upgrade to 0.5.2 or later

Is CVE-2025-6210 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.2	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-6210
PATCHgithub.com/run-llama/llama_index
WEBgithub.com/run-llama/llama_index/commit/a86c96ae0e662492eeb471b658ae849a93f628ff
WEBhuntr.com/bounties/a654b322-a509-4448-a1f5-0f22850b4687