Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/37091?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37091?format=api", "vulnerability_id": "VCID-pwa9-7xgw-vkgu", "summary": "A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.", "aliases": [ { "alias": "CVE-2025-6209" }, { "alias": "GHSA-2rhq-96q8-4vjq" }, { "alias": "PYSEC-2025-65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46022?format=api", "purl": "pkg:pypi/llama-index@0.12.41", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.41" }, { "url": "http://public2.vulnerablecode.io/api/packages/73779?format=api", "purl": "pkg:pypi/llama-index-core@0.12.41", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.12.41" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46008?format=api", "purl": "pkg:pypi/llama-index@0.12.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/46009?format=api", "purl": "pkg:pypi/llama-index@0.12.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.28" }, { "url": "http://public2.vulnerablecode.io/api/packages/46010?format=api", "purl": "pkg:pypi/llama-index@0.12.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.29" }, { "url": "http://public2.vulnerablecode.io/api/packages/46011?format=api", "purl": "pkg:pypi/llama-index@0.12.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/46012?format=api", "purl": "pkg:pypi/llama-index@0.12.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.31" }, { "url": "http://public2.vulnerablecode.io/api/packages/46013?format=api", "purl": "pkg:pypi/llama-index@0.12.32", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/46014?format=api", "purl": "pkg:pypi/llama-index@0.12.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.33" }, { "url": "http://public2.vulnerablecode.io/api/packages/46015?format=api", "purl": "pkg:pypi/llama-index@0.12.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/46016?format=api", "purl": "pkg:pypi/llama-index@0.12.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.35" }, { "url": "http://public2.vulnerablecode.io/api/packages/46017?format=api", "purl": "pkg:pypi/llama-index@0.12.36", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.36" }, { "url": "http://public2.vulnerablecode.io/api/packages/46018?format=api", "purl": "pkg:pypi/llama-index@0.12.37", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.37" }, { "url": "http://public2.vulnerablecode.io/api/packages/46019?format=api", "purl": "pkg:pypi/llama-index@0.12.38", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.38" }, { "url": "http://public2.vulnerablecode.io/api/packages/46020?format=api", "purl": "pkg:pypi/llama-index@0.12.39", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.39" }, { "url": "http://public2.vulnerablecode.io/api/packages/46021?format=api", "purl": "pkg:pypi/llama-index@0.12.40", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.40" }, { "url": "http://public2.vulnerablecode.io/api/packages/85641?format=api", "purl": "pkg:pypi/llama-index-core@0.12.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwa9-7xgw-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.12.27" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6209.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6209.json" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-65.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-65.yaml" }, { "reference_url": "https://github.com/run-llama/llama_index", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index" }, { "reference_url": "https://github.com/run-llama/llama_index/commit/cdeaab91a204d1c3527f177dac37390327aef274", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/run-llama/llama_index/commit/cdeaab91a204d1c3527f177dac37390327aef274" }, { "reference_url": "https://huntr.com/bounties/e89d14f8-bfe8-4c9a-bb2a-656c01cc9a68", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/e89d14f8-bfe8-4c9a-bb2a-656c01cc9a68" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376808", "reference_id": "2376808", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376808" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6209", "reference_id": "CVE-2025-6209", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6209" }, { "reference_url": "https://github.com/advisories/GHSA-2rhq-96q8-4vjq", "reference_id": "GHSA-2rhq-96q8-4vjq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2rhq-96q8-4vjq" } ], "weaknesses": [ { "cwe_id": 29, "name": "Path Traversal: '..filename'", "description": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "5.3 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pwa9-7xgw-vkgu" }