Vulnerability Description
The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Llamaindex | Llamaindex | >= 0.12.28, < 0.12.38 |
Related Weaknesses (CWE)
References
- https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1Patch
- https://huntr.com/bounties/df187bda-7911-4823-a19a-e15b2c66b0d4ExploitThird Party Advisory
FAQ
What is CVE-2025-5472?
CVE-2025-5472 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Servic...
How severe is CVE-2025-5472?
CVE-2025-5472 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-5472?
Check the references section above for vendor advisories and patch information. Affected products include: Llamaindex Llamaindex.