CVE-2025-10854HIGH 8.1EPSS p34.0%

CVE-2025-10854CVE-2025-10854

Description

The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.0% · 2026-06-18T12:00:27Z
Published2025-09-22
Last modified2026-04-15

Underlying weaknesses· 1

CWE-61

References

  1. https://github.com/neuml/txtai/issues/965
  2. https://research.jfrog.com/vulnerabilities/txtai-arbitrary-file-write-jfsa-2025-001471363/

1

TypeTargetConfidenceTier
WeaknessUNIX Symbolic Link (Symlink) Followingcwe-610%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-69874
CVE
CVE-2025-0851
CVE
CVE-2025-33208
CVE
CVE-2025-12638
CVE
CVE-2026-7524
CVE
CVE-2025-51480
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.