llama-index-core 0.12.30 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the llama-index-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Insecure Temporary File llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Insecure Temporary File due to setting the NLTK data directory to a shared, world-writable subdirectory. An attacker can overwrite, delete, or corrupt data files by exploiting the shared cache directory in a multi-user environment. How to fix Insecure Temporary File? Upgrade `llama-index-core` to version 0.12.50 or higher.	[,0.12.50)
H Creation of Temporary File With Insecure Permissions llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the `get_cache_dir` function, which uses a predictable and hardcoded directory path `/tmp/llama_index` without proper security controls. An attacker can access or manipulate sensitive files by exploiting this predictable path, potentially stealing proprietary models, poisoning cached embeddings, or conducting symlink attacks. Note: This is only exploitable if multiple users share the same Linux system. How to fix Creation of Temporary File With Insecure Permissions? Upgrade `llama-index-core` to version 0.12.50 or higher.	[0,0.12.50)
H Uncontrolled Recursion llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Uncontrolled Recursion via the `JSONReader` component. An attacker can cause excessive resource consumption and crash the process by submitting deeply nested JSON files. How to fix Uncontrolled Recursion? Upgrade `llama-index-core` to version 0.12.38 or higher.	[,0.12.38)
C Arbitrary File Write via Archive Extraction (Zip Slip) llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the `encode_image` function. An attacker can access arbitrary files on the server by supplying crafted `image_path` values containing path traversal sequences. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `llama-index-core` to version 0.12.41 or higher.	[,0.12.41)
H Deserialization of Untrusted Data llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `JsonPickleSerializer` process. An attacker can execute arbitrary code by submitting specially crafted serialized data that triggers the insecure fallback to Python's pickle module. How to fix Deserialization of Untrusted Data? Upgrade `llama-index-core` to version 0.12.41 or higher.	[,0.12.41)
H Uncontrolled Recursion llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Uncontrolled Recursion via the `JSONReader` process. An attacker can cause the application to crash by submitting deeply nested JSON structures, resulting in a stack overflow and service disruption. How to fix Uncontrolled Recursion? Upgrade `llama-index-core` to version 0.12.38 or higher.	[,0.12.38)

Vulnerability

Vulnerable Version

Insecure Temporary File

llama-index-core is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Insecure Temporary File due to setting the NLTK data directory to a shared, world-writable subdirectory. An attacker can overwrite, delete, or corrupt data files by exploiting the shared cache directory in a multi-user environment.

How to fix Insecure Temporary File?

Upgrade llama-index-core to version 0.12.50 or higher.

[,0.12.50)

Creation of Temporary File With Insecure Permissions

llama-index-core is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the get_cache_dir function, which uses a predictable and hardcoded directory path /tmp/llama_index without proper security controls. An attacker can access or manipulate sensitive files by exploiting this predictable path, potentially stealing proprietary models, poisoning cached embeddings, or conducting symlink attacks.

Note: This is only exploitable if multiple users share the same Linux system.

How to fix Creation of Temporary File With Insecure Permissions?

Upgrade llama-index-core to version 0.12.50 or higher.

[0,0.12.50)

Uncontrolled Recursion

llama-index-core is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Uncontrolled Recursion via the JSONReader component. An attacker can cause excessive resource consumption and crash the process by submitting deeply nested JSON files.

How to fix Uncontrolled Recursion?

Upgrade llama-index-core to version 0.12.38 or higher.

[,0.12.38)

Arbitrary File Write via Archive Extraction (Zip Slip)

llama-index-core is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the encode_image function. An attacker can access arbitrary files on the server by supplying crafted image_path values containing path traversal sequences.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade llama-index-core to version 0.12.41 or higher.

[,0.12.41)

Deserialization of Untrusted Data

llama-index-core is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JsonPickleSerializer process. An attacker can execute arbitrary code by submitting specially crafted serialized data that triggers the insecure fallback to Python's pickle module.

How to fix Deserialization of Untrusted Data?

Upgrade llama-index-core to version 0.12.41 or higher.

[,0.12.41)

Uncontrolled Recursion

llama-index-core is an Interface between LLMs and your data

Affected versions of this package are vulnerable to Uncontrolled Recursion via the JSONReader process. An attacker can cause the application to crash by submitting deeply nested JSON structures, resulting in a stack overflow and service disruption.

How to fix Uncontrolled Recursion?

Upgrade llama-index-core to version 0.12.38 or higher.

[,0.12.38)

llama-index-core@0.12.30 vulnerabilities

Interface between LLMs and your data

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically