CVE-2025-5472
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-07

Last updated on: 2025-07-30

Assigner: huntr.dev

Description
The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-07
Last Modified
2025-07-30
Generated
2026-05-07
AI Q&A
2025-07-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-5472
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
llamaindex llamaindex From 0.12.28 (inc) to 0.12.38 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-5472 is a Denial of Service (DoS) vulnerability in the JSONReader component of the llama_index library. It occurs because the JSONReader uses uncontrolled recursive parsing when processing deeply nested JSON structures. This can cause the application to exceed Python's recursion limit, triggering a RecursionError and crashing the application. The root cause is the lack of depth validation and unsafe recursive traversal design in the JSONReader. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by causing your application or service that uses the vulnerable JSONReader to crash or become unavailable when processing deeply nested JSON inputs. This leads to a Denial of Service (DoS), disrupting workflows and making services unreliable or unavailable to users. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the JSONReader component with deeply nested JSON inputs that exceed typical recursion limits, which may trigger a RecursionError and cause the application to crash or issue warnings. Specifically, you can simulate a deeply nested JSON structure (e.g., 2000 levels) and observe if the application crashes or handles the input gracefully. While no specific network commands are provided, you can run a Python test similar to the one described in the fix: create a deeply nested JSON file and attempt to load it using the vulnerable JSONReader.load_data method, monitoring for RecursionError or warnings. For example, you might write a Python script that attempts to load such JSON and catches recursion errors or warnings. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the run-llama/llama_index library to version 0.12.38 or later, where the vulnerability is fixed by adding exception handling for RecursionError in the JSONReader.load_data method. If upgrading is not immediately possible, consider implementing input validation to reject or limit deeply nested JSON structures before processing, or wrap JSON loading calls in try-except blocks to catch RecursionError and handle it gracefully to prevent application crashes. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart