VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 7, 2025· Updated Jul 7, 2025

Hardlink-Based Path Traversal in run-llama/llama_index

CVE-2025-6210

Description

A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in version 0.5.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A hardlink-based path traversal in llama_index's ObsidianReader allows attackers to bypass path checks and read sensitive system files.

Vulnerability

Overview

The ObsidianReader class in the run-llama/llama_index repository (version 0.12.27) contains a hardlink-based path traversal vulnerability in its load_data() method [1][3]. The root cause is that the security checks fail to distinguish between regular files and hardlinks; an attacker can create a hardlink to a sensitive file (e.g., /etc/passwd) within the observed directory, and the reader will process it despite the path check [1]. A commit addresses this by adding an is_hardlink() function that checks st_nlink > 1 and skips such files [3].

Attack

Vector and Exploitation

Exploitation requires the attacker to have write access to the filesystem directory being read by the Obsidian reader (e.g., a shared vault), allowing them to create a hardlink pointing to any file on the system. The attack does not need authentication beyond that file write capability; the reader then traverses the hardlinked file without rejecting it [1]. The vulnerable check only examines whether the resolved path starts with the input directory, but a hardlink resolves to the original file's inode, bypassing the intended restriction [1].

Impact

A successful exploit allows an attacker to read arbitrary files on the host filesystem, including sensitive system files like /etc/passwd, potentially leaking credentials or configuration data [1]. This could lead to privilege escalation or further compromise of the system.

Mitigation

The vulnerability is patched in version 0.5.2 of the llama-index-readers-obsidian package, which introduces a hardlink check and prints a warning before skipping such files [3]. Users should update to this version or apply the commit a86c96ae0e662492eeb471b658ae849a93f628ff [3]. No workarounds are documented; restricting write access to the Obsidian vault directory can reduce risk.

References
  1. NVD - CVE-2025-6210
  2. Obsidian reader checks and skips hardlinks (#18950) · run-llama/llama_index@a86c96a

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
llama-index-readers-obsidianPyPI
< 0.5.20.5.2

Affected products

2
  • Run Llama/Llama Indexllm-fuzzy
    Range: <=0.12.27 (but fixed in 0.5.2 — conflicting ranges, see reasoning)
  • run-llama/run-llama/llama_indexv5
    Range: unspecified

Patches

1
a86c96ae0e66

Obsidian reader checks and skips hardlinks (#18950)

https://github.com/run-llama/llama_indexClelia (Astra) BertelliJun 3, 2025via ghsa
commit
2 files changed · +18 1
  • llama-index-integrations/readers/llama-index-readers-obsidian/llama_index/readers/obsidian/base.py+17 0 modified
    @@ -30,6 +30,18 @@
 from llama_index.readers.file import MarkdownReader
 
 
+def is_hardlink(filepath: Path) -> bool:
+    """
+    Check if a file is a hardlink by checking the number of links to/from it.
+
+    Args:
+        filepath (Path): path to the file.
+
+    """
+    stat_info = os.stat(filepath)
+    return stat_info.st_nlink > 1
+
+
 class ObsidianReader(BaseReader):
     """
     input_dir (str): Path to the Obsidian vault.
@@ -68,6 +80,11 @@ def load_data(self, *args: Any, **load_kwargs: Any) -> List[Document]:
                     filepath = os.path.join(dirpath, filename)
                     file_path_obj = Path(filepath).resolve()
                     try:
+                        if is_hardlink(filepath=file_path_obj):
+                            print(
+                                f"Warning: Skipping file because it is a hardlink (potential malicious exploit): {filepath}"
+                            )
+                            continue
                         if not str(file_path_obj).startswith(str(input_dir_abs)):
                             print(
                                 f"Warning: Skipping file outside input directory: {filepath}"
  • llama-index-integrations/readers/llama-index-readers-obsidian/pyproject.toml+1 1 modified
    @@ -26,7 +26,7 @@ dev = [
 
 [project]
 name = "llama-index-readers-obsidian"
-version = "0.5.1"
+version = "0.5.2"
 description = "llama-index readers obsidian integration"
 authors = [{name = "Your Name", email = "you@example.com"}]
 requires-python = ">=3.9,<4.0"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.