XML Entity Expansion Vulnerability in run-llama's Llama Index
CVE-2025-3225

7.5HIGH

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 7 July 2025

Badges

📰 News Worthy

What is CVE-2025-3225?

An XML Entity Expansion vulnerability is present in the sitemap parser of the Llama Index repository maintained by run-llama. This vulnerability allows attackers to exploit a flaw in the XML parsing mechanism, commonly referred to as a 'billion laughs' attack. By submitting a carefully crafted malicious Sitemap XML, an attacker can manipulate the system into entering a state of resource exhaustion, leading to a Denial of Service (DoS) scenario where the affected server may crash or become unresponsive. The issue was effectively resolved in version v0.12.29, making it crucial for users to upgrade to prevent potential exploitation.

Affected Version(s)

run-llama/llama_index < unspecified

News Articles

Yanac.hu

CVE-2025-3225

CVE-2025-3225 | run-llama llama_index up to 0.12.28 Sitemap XML xml entity expansion

A vulnerability was found in run-llama llama_index up to 0.12.28. It has been classified as problematic. Affected is an unknown function of the component Sitemap XML Handler. The manipulation lead…

3 weeks ago

References

https://huntr.com/bounties/e33c0699-e9a2-49aa-837b-536320...

https://github.com/run-llama/llama_index/commit/4f6ee062b...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by Yanac.hu
Jul 12, 2025
Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Apr 3, 2025

Run-llama

Badges

What is CVE-2025-3225?

Affected Version(s)

News Articles

CVE-2025-3225 | run-llama llama_index up to 0.12.28 Sitemap XML xml entity expansion

References

CVSS V3.0

Timeline