CVE-2025-3044 – llama-index-readers-papers

Package

Manager: pip
Name: llama-index-readers-papers
Vulnerable Version: >=0 <0.3.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00049 pctl0.14854

Details

LlamaIndex vulnerability in ArxivReader class can cause MD5 hash collisions A vulnerability in the ArxivReader class of the run-llama/llama_index repository allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in llama-index-readers-papers version 0.3.1 (in llama-index 0.12.28).

Metadata

Created: 2025-07-07T12:30:22Z
Modified: 2025-07-08T00:03:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-p7j4-jwjf-5x9w/GHSA-p7j4-jwjf-5x9w.json
CWE IDs: ["CWE-440"]
Alternative ID: GHSA-p7j4-jwjf-5x9w
Finding: F014
Auto approve: 1