Denial of Service Vulnerability in KnowledgeBaseWebReader Class of run-llama Product
CVE-2025-1752

7.5HIGH

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 10 May 2025

What is CVE-2025-1752?

A Denial of Service vulnerability exists in the KnowledgeBaseWebReader class of run-llama's llama_index project, specifically from version v0.12.15. Due to insufficient secure coding practices, particularly with the max_depth parameter in the get_article_urls function, attackers can exploit this vulnerability. They can repeatedly invoke this function to exhaust Python's recursion limit, leading to high resource consumption and the eventual crash of the Python process, making it a significant concern for users relying on this service.

Affected Version(s)

run-llama/llama_index < 0.3.6

References

https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23...

https://github.com/run-llama/llama_index/commit/3c65db294...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2025
Vulnerability Reserved
Feb 27, 2025

Run-llama

What is CVE-2025-1752?

Affected Version(s)

References

CVSS V3.0

Timeline