
We found results for “”
CVE-2025-3225
Good to know:


Date: July 7, 2025
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-776Top Fix

Upgrade Version
Upgrade to version llama-index-readers-papers - 0.3.2;llama-index-readers-stripe-docs - 0.3.1;llama-index-readers-web - 0.3.9;https://github.com/run-llama/llama_index.git - v0.12.29
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | NONE |
Availability (A): | HIGH |