llama-index-core Insecure Temporary File Handling Vulnerability Allowing Model Theft and Cache Poisoning

A vulnerability exists in the llama-index-core package, specifically in version 0.12.44 and prior, within the get_cache_dir() function. The issue arises from a predictable, hardcoded directory path /tmp/llama_index, used on Linux systems without adequate security measures. This flaw enables attackers on multi-user systems to steal proprietary models, contaminate cached embeddings, or perform symlink attacks. The vulnerability impacts all Linux environments where multiple users share the same system.

Impact

Exploitation of this vulnerability could lead to unauthorized access and theft of proprietary models and embeddings, manipulation of cached data causing incorrect application results, potential corruption of user configuration files, and in some cases, privilege escalation.

Reproduction

The vulnerability can be reproduced on a Linux system by using llama-index-core version 0.12.44 or earlier. Once the application is run, the hardcoded cache directory is created in /tmp/llama_index. An attacker can then exploit the predictable path to steal cached models or embeddings, poison the cache with malicious data, or conduct a symlink attack by creating a symlink to a sensitive file, which the application may inadvertently overwrite or corrupt.

Remediation

Users can update to llama-index-core version 0.13.0 or later, where this vulnerability has been fixed.