EUVD-2025-34071

llama-index has Insecure Temporary File...

World-Writable NLTK Cache Directory Enables Local Users to Tamper with or Delete NLP Data

Description The llamaindex library sets the NLTK data directory to a subdirectory of the codebase by default e.g., static/nltkcache inside the package directory. In multi-user environments or shared hosting, this directory is world-writable or accessible by multiple users. As a result, any user c...