CVE-2025-6208
Unknown Unknown - Not Provided
Uncontrolled Memory Consumption in llama_index.core SimpleDirectoryReader

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: huntr.dev

Description
The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-6208
EUVD
EUVD-2025-206599
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
run-llama llama_index to 0.12.41 (exc)
run-llama llama_index 0.12.41
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the SimpleDirectoryReader component of the llama_index project (version 0.12.23). It causes uncontrolled memory consumption because the limit on the number of files to read (num_files_limit) is applied only after all files in a directory are loaded into memory. This means that if a directory contains many files, all of them are loaded first, potentially exhausting available memory and degrading performance. The issue was fixed by changing the file loading logic to enforce the file limit during directory traversal, preventing excessive memory use. [1]

Impact Analysis

This vulnerability can lead to memory exhaustion on systems using the affected SimpleDirectoryReader component, especially in environments with limited resources. Excessive memory consumption can cause degraded performance, application crashes, or denial of service, impacting the reliability and availability of applications relying on this component. [1]

Detection Guidance

This vulnerability manifests as uncontrolled memory consumption when the SimpleDirectoryReader component loads files from a directory. To detect it, monitor the memory usage of processes using llama_index version 0.12.23, especially when reading directories with many files. Commands like 'top' or 'htop' on Linux can show real-time memory usage. Additionally, you can use 'ps aux --sort=-%mem | head' to identify processes consuming high memory. For more targeted detection, monitor logs or application behavior for performance degradation or crashes during directory reading operations. [1]

Mitigation Strategies

The immediate mitigation is to upgrade the llama_index package to version 0.12.41 or later, where the vulnerability is fixed by enforcing the file limit during directory traversal to prevent excessive memory use. If upgrading is not immediately possible, limit the number of files processed by the SimpleDirectoryReader manually or avoid processing directories with a large number of files to reduce memory consumption. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart