Denial of Service Vulnerability in Llama Index JSONReader Component by Run Llama
CVE-2025-5302

8.6HIGH

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 25 August 2025

What is CVE-2025-5302?

A denial of service vulnerability has been identified in the JSONReader component of the Llama Index repository, specifically in version v0.12.37. This issue arises from uncontrolled recursion during the parsing of deeply nested JSON files, which can cause Python to exceed its maximum recursion depth limit. Consequently, this leads to high resource consumption and potential crashes of the Python process. The vulnerability has been addressed in version v0.12.38 of the Llama Index, where the underlying issue has been resolved.

Affected Version(s)

run-llama/llama_index < 0.12.38

References

https://huntr.com/bounties/70041b81-de9e-4046-8c0e-6ccd55...

https://github.com/run-llama/llama_index/commit/c032843a0...

CVSS V3.0

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 25, 2025
Vulnerability Reserved
May 28, 2025

Run-llama

What is CVE-2025-5302?

Affected Version(s)

References

CVSS V3.0

Timeline