CVE-2025-6210: 
Python vulnerability analysis and mitigation

CVE-2025-6210 is a path traversal vulnerability discovered in the ObsidianReader class of the run-llama/llamaindex repository version 0.12.27. The vulnerability was disclosed on July 7, 2025, and affects the llamaindex software package. This security flaw allows attackers to bypass path restrictions through hardlink exploitation (NVD, RedHat).

The vulnerability stems from inadequate handling of hardlinks in the load_data() method of the ObsidianReader class, where security checks fail to properly differentiate between real files and hardlinks. The issue has been assigned a CVSS 3.0 base score of 6.2 (Medium) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating local access is required but no privileges or user interaction are needed. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows attackers to bypass path restrictions and potentially access sensitive system files, such as /etc/passwd, by exploiting hardlinks. However, on RedHat systems, the impact is limited as most users are not given access to sensitive files, and a compromised process using llama index will not have access to general system secrets unless it has been given elevated permissions (RedHat).

The vulnerability has been resolved in version 0.5.2 of the software. The fix includes implementing checks to identify and skip hardlinks in the file processing routine (GitHub Commit).