CVE-2025-5302 – llama-index-core

Package

Manager: pip
Name: llama-index-core
Vulnerable Version: >=0 <0.12.38

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0007 pctl0.2181

Details

LlamaIndex affected by a Denial of Service (DOS) in JSONReader A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.

Metadata

Created: 2025-08-26T00:31:13Z
Modified: 2025-08-26T17:43:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-7753-xrfw-ch36/GHSA-7753-xrfw-ch36.json
CWE IDs: ["CWE-674"]
Alternative ID: GHSA-7753-xrfw-ch36
Finding: F067
Auto approve: 1