CVE-2025-1753

描述

LLama-Index CLI prior to v0.4.1, corresponding to LLama-Index prior to v0.12.21, contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.

如何修補 CVE-2025-1753

要修補 CVE-2025-1753,請將受影響套件升級到下列已修補版本。

• —升級至 0.4.1 或更新版本

CVE-2025-1753 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.4.1

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-1753
• PATCHgithub.com/run-llama/llama_index
• WEBgithub.com/run-llama/llama_index/commit/b57e76738c53ca82d88658b82f2d82d1c7839c7d
• WEBhuntr.com/bounties/19e1c67e-1d77-451d-b10b-acbe99900b22