CVE-2025-5302: LlamaIndex Core JSON parsing DoS

CISO Take

Any llama-index deployment processing external or user-supplied JSON documents is vulnerable to a denial-of-service crash with no authentication required. A single crafted deeply-nested JSON file exhausts Python's call stack and kills the worker process. Patch llama-index-core to 0.12.38 immediately; if patching is delayed, add pre-validation to cap JSON nesting depth before it reaches JSONReader.

What is the risk?

Real-world risk is context-dependent despite the CVSS 8.6 (High) score. The EPSS of 0.00058 signals low current exploitation probability, and the vulnerability is not in CISA KEV. Exposure is highest in public-facing RAG pipelines and document ingestion APIs where untrusted parties can supply JSON payloads. Internal deployments with controlled data sources carry significantly lower risk. Blast radius is limited to availability — no privilege escalation or persistent code execution is possible — but the confidentiality (C:L) and integrity (I:L) components in the CVSS vector suggest potential stack trace leakage or transient state corruption on crash.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LlamaIndex Core	pip	< 0.12.38	`0.12.38`
50.2K 1.2K dependents Pushed 4d ago 100% patched ~50d to patch Full package profile →

Do you use LlamaIndex Core? You're affected.

How severe is it?

CVSS 3.1

8.6 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A High

What should I do?

5 steps

Patch: Upgrade llama-index-core to >=0.12.38 immediately — this is the only complete fix.
Workaround (if patching is delayed): Pre-validate all incoming JSON to enforce a maximum nesting depth (recommended: 20-50 levels) before passing to JSONReader. Reject or flatten payloads exceeding this threshold.
Process isolation: Run document ingestion workers in isolated processes or containers so a crash does not affect the broader application.
Detection: Alert on RecursionError tracebacks in application logs, unexpected Python worker restarts, or abrupt availability drops in document ingestion endpoints.
Input sanitization at API boundaries: For public-facing endpoints, enforce JSON payload size limits and structural constraints as a defense-in-depth measure.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework RAG AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain and improve deployed AI systems

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-5302?

Any llama-index deployment processing external or user-supplied JSON documents is vulnerable to a denial-of-service crash with no authentication required. A single crafted deeply-nested JSON file exhausts Python's call stack and kills the worker process. Patch llama-index-core to 0.12.38 immediately; if patching is delayed, add pre-validation to cap JSON nesting depth before it reaches JSONReader.

Is CVE-2025-5302 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-5302, increasing the risk of exploitation.

How to fix CVE-2025-5302?

1. Patch: Upgrade llama-index-core to >=0.12.38 immediately — this is the only complete fix. 2. Workaround (if patching is delayed): Pre-validate all incoming JSON to enforce a maximum nesting depth (recommended: 20-50 levels) before passing to JSONReader. Reject or flatten payloads exceeding this threshold. 3. Process isolation: Run document ingestion workers in isolated processes or containers so a crash does not affect the broader application. 4. Detection: Alert on RecursionError tracebacks in application logs, unexpected Python worker restarts, or abrupt availability drops in document ingestion endpoints. 5. Input sanitization at API boundaries: For public-facing endpoints, enforce JSON payload size limits and structural constraints as a defense-in-depth measure.

What systems are affected by CVE-2025-5302?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document loaders, agent frameworks, multi-document query engines.

What is the CVSS score for CVE-2025-5302?

CVE-2025-5302 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesdocument loadersagent frameworksmulti-document query engines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.

Exploitation Scenario

An adversary targeting a RAG-based AI platform built on llama-index crafts a deeply nested JSON document (e.g., {"a":{"a":{"a":{...}}}} extending 1,500+ levels). They submit this via a public document upload endpoint, a scraped URL the indexer fetches automatically, or by embedding it in a data source the agent periodically re-ingests. When JSONReader parses it, Python's default recursion limit (~1000 frames) is exceeded, raising an unhandled RecursionError that kills the worker process. In an automated pipeline, the adversary can repeatedly inject this payload to maintain persistent unavailability, forcing continuous restarts with no data exfiltration required and a trivial payload size.

Weaknesses (CWE)

CWE-674 Uncontrolled Recursion Primary

CWE-674 — Uncontrolled Recursion: The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

[Implementation] Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
[Implementation] Increase the stack size.

Source: MITRE CWE corpus.