AI Threat Alert
CVE-2025-5302: llama-index: JSON parsing DoS via deep recursion
GHSA-7753-xrfw-ch36 HIGH PoC AVAILABLE CISA: TRACK*Any llama-index deployment processing external or user-supplied JSON documents is vulnerable to a denial-of-service crash with no authentication required. A single crafted deeply-nested JSON file exhausts Python's call stack and kills the worker process. Patch llama-index-core to 0.12.38 immediately; if patching is delayed, add pre-validation to cap JSON nesting depth before it reaches JSONReader.
Risk Assessment
Real-world risk is context-dependent despite the CVSS 8.6 (High) score. The EPSS of 0.00058 signals low current exploitation probability, and the vulnerability is not in CISA KEV. Exposure is highest in public-facing RAG pipelines and document ingestion APIs where untrusted parties can supply JSON payloads. Internal deployments with controlled data sources carry significantly lower risk. Blast radius is limited to availability — no privilege escalation or persistent code execution is possible — but the confidentiality (C:L) and integrity (I:L) components in the CVSS vector suggest potential stack trace leakage or transient state corruption on crash.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| llama-index-core | pip | < 0.12.38 | 0.12.38 |
Do you use llama-index-core? You're affected.
Severity & Risk
Attack Surface
Recommended Action
5 steps-
Patch: Upgrade llama-index-core to >=0.12.38 immediately — this is the only complete fix.
-
Workaround (if patching is delayed): Pre-validate all incoming JSON to enforce a maximum nesting depth (recommended: 20-50 levels) before passing to JSONReader. Reject or flatten payloads exceeding this threshold.
-
Process isolation: Run document ingestion workers in isolated processes or containers so a crash does not affect the broader application.
-
Detection: Alert on RecursionError tracebacks in application logs, unexpected Python worker restarts, or abrupt availability drops in document ingestion endpoints.
-
Input sanitization at API boundaries: For public-facing endpoints, enforce JSON payload size limits and structural constraints as a defense-in-depth measure.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-5302?
Any llama-index deployment processing external or user-supplied JSON documents is vulnerable to a denial-of-service crash with no authentication required. A single crafted deeply-nested JSON file exhausts Python's call stack and kills the worker process. Patch llama-index-core to 0.12.38 immediately; if patching is delayed, add pre-validation to cap JSON nesting depth before it reaches JSONReader.
Is CVE-2025-5302 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2025-5302, increasing the risk of exploitation.
How to fix CVE-2025-5302?
1. Patch: Upgrade llama-index-core to >=0.12.38 immediately — this is the only complete fix. 2. Workaround (if patching is delayed): Pre-validate all incoming JSON to enforce a maximum nesting depth (recommended: 20-50 levels) before passing to JSONReader. Reject or flatten payloads exceeding this threshold. 3. Process isolation: Run document ingestion workers in isolated processes or containers so a crash does not affect the broader application. 4. Detection: Alert on RecursionError tracebacks in application logs, unexpected Python worker restarts, or abrupt availability drops in document ingestion endpoints. 5. Input sanitization at API boundaries: For public-facing endpoints, enforce JSON payload size limits and structural constraints as a defense-in-depth measure.
What systems are affected by CVE-2025-5302?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document loaders, agent frameworks, multi-document query engines.
What is the CVSS score for CVE-2025-5302?
CVE-2025-5302 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.06%.
Technical Details
NVD Description
A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.
Exploitation Scenario
An adversary targeting a RAG-based AI platform built on llama-index crafts a deeply nested JSON document (e.g., {"a":{"a":{"a":{...}}}} extending 1,500+ levels). They submit this via a public document upload endpoint, a scraped URL the indexer fetches automatically, or by embedding it in a data source the agent periodically re-ingests. When JSONReader parses it, Python's default recursion limit (~1000 frames) is exceeded, raising an unhandled RecursionError that kills the worker process. In an automated pipeline, the adversary can repeatedly inject this payload to maintain persistent unavailability, forcing continuous restarts with no data exfiltration required and a trivial payload size.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H References
Timeline
Related Vulnerabilities
CVE-2024-12704 7.5 llama-index: DoS via infinite loop in LangChain LLM
Same package: llama-index-core CVE-2025-6209 7.5 llama_index: path traversal allows arbitrary file read
Same package: llama-index-core CVE-2025-7647 7.3 llama-index-core: insecure /tmp dir, model theft risk
Same package: llama-index-core CVE-2025-5472 6.5 llama-index: JSONReader DoS via recursive JSON parsing
Same package: llama-index-core CVE-2025-6208 5.3 llama-index-core: DoS causes service disruption
Same package: llama-index-core