GHSA-7c85-87cp-mr6g

Suggest an improvement
Source
https://github.com/advisories/GHSA-7c85-87cp-mr6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-7c85-87cp-mr6g/GHSA-7c85-87cp-mr6g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7c85-87cp-mr6g
Aliases
  • CVE-2025-1752
Published
2025-05-10T15:30:28Z
Modified
2025-05-12T21:12:15.436772Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
LlamaIndex Vulnerable to Denial of Service (DoS)
Details

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the maxdepth parameter in the getarticleurls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.

Database specific 
{
    "nvd_published_at": "2025-05-10T14:15:32Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-12T20:16:19Z"
}
References

Affected packages

PyPI / llama-index

Package

Name
llama-index
View open source insights on deps.dev
Purl
pkg:pypi/llama-index

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.12.15
Fixed
0.12.21

Affected versions

0.*

0.12.15
0.12.16
0.12.17
0.12.18
0.12.19
0.12.20