CVE-2025-3225

Summary

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.

Affected Software

VendorProductVersion RangeStatus
run-llamarun-llama/llama_indexunspecified < v0.12.29affected

Weaknesses

  • CWE-776: CWE-776 Improper Restriction of Recursive Entity References in DTDs

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References