CVE-2025-1752: LlamaIndex DoS via uncapped recursion

CISO Take

If your RAG pipelines use LlamaIndex's KnowledgeBaseWebReader to ingest web content, an unauthenticated attacker who can influence crawled URLs can crash your Python process. Upgrade llama-index to 0.12.21 immediately; no workaround exists short of disabling the component. Impact is availability-only—no data exfiltration—but a crashed ingestion pipeline means stale or missing context in production AI systems.

What is the risk?

High severity (CVSS 7.5) with low active exploitation probability (EPSS 0.16%). The attack requires zero privileges and no user interaction, lowering the barrier to exploitation. However, the attacker must control or influence URL sources fed to KnowledgeBaseWebReader, which limits opportunistic exploitation. In AI pipelines that autonomously crawl external content or process user-submitted URLs, exposure is significantly elevated. Not in CISA KEV; patch is available.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LlamaIndex	pip	>= 0.12.15, < 0.12.21	`0.12.21`
50.2K 238 dependents Pushed 4d ago 87% patched ~50d to patch Full package profile →

Do you use LlamaIndex? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

1 step

1) Upgrade llama-index to >= 0.12.21 (patch commit 3c65db29). 2) If upgrade is blocked, disable KnowledgeBaseWebReader and substitute with a reader that enforces crawl depth. 3) Implement URL allowlists for web reader components—never crawl attacker-controlled domains. 4) Run web ingestion in isolated subprocesses with resource limits (ulimit, container cgroups) to contain recursion crashes. 5) Monitor ingestion pipeline processes for unexpected terminations; alert on repeated crashes as a potential exploitation signal. 6) Apply sys.setrecursionlimit() at the application layer as a defense-in-depth measure.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework RAG AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system robustness and availability

NIST AI RMF

MANAGE 2.2 - AI Risk Treatment and Incident Response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-1752?

If your RAG pipelines use LlamaIndex's KnowledgeBaseWebReader to ingest web content, an unauthenticated attacker who can influence crawled URLs can crash your Python process. Upgrade llama-index to 0.12.21 immediately; no workaround exists short of disabling the component. Impact is availability-only—no data exfiltration—but a crashed ingestion pipeline means stale or missing context in production AI systems.

Is CVE-2025-1752 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1752, increasing the risk of exploitation.

How to fix CVE-2025-1752?

1) Upgrade llama-index to >= 0.12.21 (patch commit 3c65db29). 2) If upgrade is blocked, disable KnowledgeBaseWebReader and substitute with a reader that enforces crawl depth. 3) Implement URL allowlists for web reader components—never crawl attacker-controlled domains. 4) Run web ingestion in isolated subprocesses with resource limits (ulimit, container cgroups) to contain recursion crashes. 5) Monitor ingestion pipeline processes for unexpected terminations; alert on repeated crashes as a potential exploitation signal. 6) Apply sys.setrecursionlimit() at the application layer as a defense-in-depth measure.

What systems are affected by CVE-2025-1752?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, knowledge base builders.

What is the CVSS score for CVE-2025-1752?

CVE-2025-1752 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.44%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesdocument ingestion pipelinesagent frameworksknowledge base builders

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.

Exploitation Scenario

An adversary hosts a website with circular or deeply nested link structures and submits its URL to a system using KnowledgeBaseWebReader—common in RAG knowledge base builders or AI research assistants. In an agentic workflow where an LLM autonomously fetches web content, the adversary embeds the malicious URL in a document or prompt, causing the agent to invoke the vulnerable reader. The get_article_urls function recursively follows links without respecting max_depth, exhausting Python's call stack (default 1000 frames) and crashing the process. The attack requires no authentication, is repeatable, and could keep the ingestion pipeline offline indefinitely.

Weaknesses (CWE)

CWE-400 Uncontrolled Resource Consumption Primary CWE-674 Uncontrolled Recursion Primary

CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.

[Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
[Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.

Source: MITRE CWE corpus.