Plattform
python
Komponente
llama-index-readers-obsidian
Behoben in
0.12.28
0.5.1
CVE-2025-3046 is a Path Traversal vulnerability discovered in the llama-index-readers-obsidian component, specifically within the ObsidianReader class. This flaw allows attackers to read files outside the intended vault directory by exploiting improper symlink resolution. Versions of llama-index-readers-obsidian prior to 0.5.1 (specifically, versions 0.12.23 to 0.12.28) are affected. A fix has been released in version 0.5.1.
The vulnerability lies in the ObsidianReader's handling of symbolic links. An attacker can create a symbolic link within the Obsidian vault directory that points to a file outside of the vault. When llama-index-readers-obsidian processes this symbolic link as a Markdown file, it will inadvertently read the target file, regardless of its location. This could expose sensitive data such as configuration files, database backups, or other confidential information stored on the system. The blast radius extends to any data accessible by the user running the llama-index-readers-obsidian component.
This vulnerability was publicly disclosed on 2025-07-07. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations and developers using llama-index-readers-obsidian for integrating Obsidian vaults with LlamaIndex applications are at risk. This includes those deploying LlamaIndex in environments where sensitive data is stored within Obsidian vaults, particularly if the application runs with elevated privileges or has access to the broader file system.
• python / supply-chain:
import os
import subprocess
def check_llama_index_version():
try:
result = subprocess.check_output(['pip', 'show', 'llama-index-readers-obsidian'], stderr=subprocess.STDOUT, text=True)
version = next(line.split(':')[-1].strip() for line in result.splitlines() if 'Version:' in line)
print(f"llama-index-readers-obsidian version: {version}")
if version <= '0.5.0':
print("VULNERABLE: Upgrade required.")
else:
print("Not vulnerable.")
except FileNotFoundError:
print("llama-index-readers-obsidian not installed.")
check_llama_index_version()• generic web: Check for unusual file access patterns in Obsidian vault logs. Look for requests attempting to access files outside the expected directory structure.
disclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to llama-index-readers-obsidian version 0.5.1 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting the permissions of the user running the component to prevent them from creating symbolic links within the Obsidian vault directory. Additionally, carefully review any files processed by llama-index-readers-obsidian to ensure they are legitimate Markdown files and do not contain unexpected symbolic links. After upgrading, confirm the fix by attempting to create a symbolic link outside the vault and verifying that llama-index-readers-obsidian no longer reads the linked file.
Actualice la biblioteca `llama_index` a la versión 0.12.29 o superior. Esto corrige la vulnerabilidad de path traversal a través de enlaces simbólicos en la clase `ObsidianReader`. La actualización asegura que los enlaces simbólicos se resuelvan correctamente y se validen para evitar el acceso a archivos fuera del directorio previsto.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3046 is a Path Traversal vulnerability in the llama-index-readers-obsidian component, allowing attackers to read arbitrary files via symbolic links in versions prior to 0.5.1.
You are affected if you are using llama-index-readers-obsidian versions 0.12.23 to 0.5.0. Versions before 0.5.1 are vulnerable.
Upgrade llama-index-readers-obsidian to version 0.5.1 or later. As a temporary workaround, restrict file access permissions within the Obsidian vault directory.
There is currently no indication of active exploitation campaigns targeting this vulnerability.
Refer to the LlamaIndex repository for updates and advisories: [https://github.com/run-llama/llamaindex](https://github.com/run-llama/llamaindex)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.