CVE-2025-3225
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-30
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| llamaindex | llamaindex | From 0.12.21 (inc) to 0.12.29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-776 | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML Entity Expansion attack, also known as a 'billion laughs' attack, found in the sitemap parser of the run-llama/llama_index project version v0.12.21. An attacker can supply a malicious Sitemap XML that causes the parser to expand entities excessively, exhausting system memory and potentially causing a Denial of Service (DoS) by crashing the system. The issue was fixed by replacing the standard XML parser with a safer one that prevents such attacks. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition by exhausting system memory when processing malicious XML input. This can cause the affected system or application to crash or become unresponsive, disrupting normal operations and potentially causing downtime or loss of availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal memory usage or crashes when processing Sitemap XML files with the vulnerable version (v0.12.21) of the llama_index parser. Additionally, inspecting the XML parsing calls in your codebase to see if they use the standard xml.etree.ElementTree module instead of the safer defusedxml.ElementTree module can help identify vulnerable instances. There are no specific commands provided in the resources to detect this vulnerability on your system or network. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the llama_index package to version v0.12.29 or later, where the issue is fixed. The fix involves replacing the use of Python's standard xml.etree.ElementTree module with the safer defusedxml.ElementTree module for XML parsing. This prevents XML Entity Expansion attacks like the 'billion laughs' attack. If upgrading is not immediately possible, consider patching your code to use defusedxml for XML parsing in the sitemap parser and other affected modules. [1]