CVE-2025-1752 (GCVE-0-2025-1752)
Vulnerability from cvelistv5
Published
2025-05-10 13:21
Modified
2025-05-12 17:47
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Summary
A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.
References
Impacted products
Vendor Product Version
run-llama run-llama/llama_index Version: unspecified   < 0.3.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1752",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T17:47:19.383577Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T17:47:23.693Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "run-llama/llama_index",
          "vendor": "run-llama",
          "versions": [
            {
              "lessThan": "0.3.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python\u0027s recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-10T13:21:30.866Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467"
        },
        {
          "url": "https://github.com/run-llama/llama_index/commit/3c65db2947271de3bd1927dc66a044da385de4da"
        }
      ],
      "source": {
        "advisory": "cd7b9082-7d75-42e4-84f5-dbee23cbc467",
        "discovery": "EXTERNAL"
      },
      "title": "Denial of Service in run-llama/llama_index"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2025-1752",
    "datePublished": "2025-05-10T13:21:30.866Z",
    "dateReserved": "2025-02-27T11:24:38.795Z",
    "dateUpdated": "2025-05-12T17:47:23.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1752\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2025-05-10T14:15:32.523\",\"lastModified\":\"2025-07-29T14:02:04.330\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python\u0027s recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en la clase KnowledgeBaseWebReader del proyecto run-llama/llama_index, que afecta a la versi\u00f3n ~ latest (v0.12.15). La vulnerabilidad surge debido a medidas de codificaci\u00f3n segura inadecuadas, en concreto a la falta de implementaci\u00f3n del par\u00e1metro max_depth en la funci\u00f3n get_article_urls. Esto permite a un atacante agotar el l\u00edmite de recursi\u00f3n de Python mediante repetidas llamadas a funciones, lo que provoca el consumo de recursos y, en \u00faltima instancia, el bloqueo del proceso de Python.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:llamaindex:llamaindex:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.3.6\",\"matchCriteriaId\":\"BFE4655A-3982-4EC5-B289-46C22E0A2DF5\"}]}]}],\"references\":[{\"url\":\"https://github.com/run-llama/llama_index/commit/3c65db2947271de3bd1927dc66a044da385de4da\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\"]},{\"url\":\"https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1752\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-12T17:47:19.383577Z\"}}}], \"references\": [{\"url\": \"https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-12T17:47:11.608Z\"}}], \"cna\": {\"title\": \"Denial of Service in run-llama/llama_index\", \"source\": {\"advisory\": \"cd7b9082-7d75-42e4-84f5-dbee23cbc467\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"run-llama\", \"product\": \"run-llama/llama_index\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"0.3.6\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467\"}, {\"url\": \"https://github.com/run-llama/llama_index/commit/3c65db2947271de3bd1927dc66a044da385de4da\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python\u0027s recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2025-05-10T13:21:30.866Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1752\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-12T17:47:23.693Z\", \"dateReserved\": \"2025-02-27T11:24:38.795Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2025-05-10T13:21:30.866Z\", \"assignerShortName\": \"@huntr_ai\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.