LlamaIndex affected by a Denial of Service (DOS) in JSONReader

GHSA-7753-xrfw-ch36 · CVE-2025-5302

Published Aug 26, 2025 · Modified Aug 26, 2025

Description

A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-5302
WEB https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635
PACKAGE https://github.com/run-llama/llama_index
WEB https://huntr.com/bounties/70041b81-de9e-4046-8c0e-6ccd557048a6

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes