VYPR
High severity8.1NVD Advisory· Published Sep 22, 2025· Updated Apr 15, 2026

CVE-2025-10854

CVE-2025-10854

Description

The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Neuml/Txtaireferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.