XML Entity Expansion Vulnerability in run-llama's Llama Index
CVE-2025-3225

7.5HIGH

Key Information:

Vendor

Run-llama

Vendor
CVE Published:
7 July 2025

What is CVE-2025-3225?

An XML Entity Expansion vulnerability is present in the sitemap parser of the Llama Index repository maintained by run-llama. This vulnerability allows attackers to exploit a flaw in the XML parsing mechanism, commonly referred to as a 'billion laughs' attack. By submitting a carefully crafted malicious Sitemap XML, an attacker can manipulate the system into entering a state of resource exhaustion, leading to a Denial of Service (DoS) scenario where the affected server may crash or become unresponsive. The issue was effectively resolved in version v0.12.29, making it crucial for users to upgrade to prevent potential exploitation.

Affected Version(s)

run-llama/llama_index < unspecified

References

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-3225 : XML Entity Expansion Vulnerability in run-llama's Llama Index