logo

Database

XML injection (XXE) In llama-index-readers-papers

Description

LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting the Papers Loaders package before version 0.3.2 (in llama-index v0.10.0 and above through v0.12.29). This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version 0.3.2 (in llama-index 0.12.29).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-32252. NVD-2025-32253. OSV-2025-32254. GCVE-2025-3225

References

1. https://github.com/run-llama/llama_index/commit/4f6ee062b19212106a2632af9c9521fc7f0a35842. https://huntr.com/bounties/e33c0699-e9a2-49aa-837b-5363205637a2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.