CVE-2025-1752 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

If your RAG pipelines use LlamaIndex's KnowledgeBaseWebReader to ingest web content, an unauthenticated attacker who can influence crawled URLs can crash your Python process. Upgrade llama-index to 0.12.21 immediately; no workaround exists short of disabling the component. Impact is availability-only—no data exfiltration—but a crashed ingestion pipeline means stale or missing context in production AI systems.

Risk Assessment

High severity (CVSS 7.5) with low active exploitation probability (EPSS 0.16%). The attack requires zero privileges and no user interaction, lowering the barrier to exploitation. However, the attacker must control or influence URL sources fed to KnowledgeBaseWebReader, which limits opportunistic exploitation. In AI pipelines that autonomously crawl external content or process user-submitted URLs, exposure is significantly elevated. Not in CISA KEV; patch is available.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index	pip	>= 0.12.15, < 0.12.21	`0.12.21`
49.3K 229 dependents Pushed yesterday 87% patched ~50d to patch Full package profile →

Do you use llama-index? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Upgrade llama-index to >= 0.12.21 (patch commit 3c65db29). 2) If upgrade is blocked, disable KnowledgeBaseWebReader and substitute with a reader that enforces crawl depth. 3) Implement URL allowlists for web reader components—never crawl attacker-controlled domains. 4) Run web ingestion in isolated subprocesses with resource limits (ulimit, container cgroups) to contain recursion crashes. 5) Monitor ingestion pipeline processes for unexpected terminations; alert on repeated crashes as a potential exploitation signal. 6) Apply sys.setrecursionlimit() at the application layer as a defense-in-depth measure.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework RAG AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system robustness and availability

NIST AI RMF

MANAGE 2.2 - AI Risk Treatment and Incident Response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-1752?

If your RAG pipelines use LlamaIndex's KnowledgeBaseWebReader to ingest web content, an unauthenticated attacker who can influence crawled URLs can crash your Python process. Upgrade llama-index to 0.12.21 immediately; no workaround exists short of disabling the component. Impact is availability-only—no data exfiltration—but a crashed ingestion pipeline means stale or missing context in production AI systems.

Is CVE-2025-1752 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1752, increasing the risk of exploitation.

How to fix CVE-2025-1752?

1) Upgrade llama-index to >= 0.12.21 (patch commit 3c65db29). 2) If upgrade is blocked, disable KnowledgeBaseWebReader and substitute with a reader that enforces crawl depth. 3) Implement URL allowlists for web reader components—never crawl attacker-controlled domains. 4) Run web ingestion in isolated subprocesses with resource limits (ulimit, container cgroups) to contain recursion crashes. 5) Monitor ingestion pipeline processes for unexpected terminations; alert on repeated crashes as a potential exploitation signal. 6) Apply sys.setrecursionlimit() at the application layer as a defense-in-depth measure.

What systems are affected by CVE-2025-1752?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, knowledge base builders.

What is the CVSS score for CVE-2025-1752?

CVE-2025-1752 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.16%.

Technical Details

NVD Description

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.

Exploitation Scenario

An adversary hosts a website with circular or deeply nested link structures and submits its URL to a system using KnowledgeBaseWebReader—common in RAG knowledge base builders or AI research assistants. In an agentic workflow where an LLM autonomously fetches web content, the adversary embeds the malicious URL in a document or prompt, causing the agent to invoke the vulnerable reader. The get_article_urls function recursively follows links without respecting max_depth, exhausting Python's call stack (default 1000 frames) and crashing the process. The attack requires no authentication, is repeatable, and could keep the ingestion pipeline offline indefinitely.