AI Threat Alert

CVE-2025-5472: llama-index: JSONReader DoS via recursive JSON parsing

GHSA-3wxx-q3gv-pvvv MEDIUM CISA: TRACK*
Published July 7, 2025
CISO Take

If your team uses LlamaIndex for document ingestion, upgrade llama-index-core to 0.12.38 immediately. Any service processing untrusted JSON through JSONReader is vulnerable to a crash via crafted deeply-nested payloads. No data exposure risk, but availability disruption in RAG or agentic workflows is the real operational threat.

What is the risk?

Low-to-medium operational risk in practice. CVSS 6.5 with availability-only impact and negligible active exploitation signal (EPSS 0.0005, absent from CISA KEV). However, the attack surface is realistic: RAG pipelines that ingest external or user-supplied JSON files are common, and the exploit requires nothing more than a crafted text file. The trivial attack complexity partially offsets the low severity rating in high-exposure, document-heavy deployments. Self-healing infrastructure (auto-restart pods) reduces persistent impact but enables sustained disruption with minimal attacker cost.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LlamaIndex Core pip < 0.12.38 0.12.38
50.2K 1.2K dependents Pushed 4d ago 100% patched ~50d to patch Full package profile →

Do you use LlamaIndex Core? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 25% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. Upgrade llama-index-core to >= 0.12.38 — this is the definitive fix.

  2. If patching is delayed, wrap JSONReader calls in a try/except block catching RecursionError and return a sanitized error response.

  3. Pre-validate JSON nesting depth at ingestion boundaries before passing to LlamaIndex (implement a depth-counting pre-parser).

  4. Enforce maximum document size and structural complexity limits at API or upload endpoints.

  5. Set sys.setrecursionlimit defensively if using custom Python runtimes.

  6. Monitor application logs for RecursionError occurrences as a detection signal for active exploitation attempts.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
Clause 8.3 - AI Risk Treatment
NIST AI RMF
MANAGE 2.2 - Risk Response — Residual Risks from AI Deployment
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-5472?

If your team uses LlamaIndex for document ingestion, upgrade llama-index-core to 0.12.38 immediately. Any service processing untrusted JSON through JSONReader is vulnerable to a crash via crafted deeply-nested payloads. No data exposure risk, but availability disruption in RAG or agentic workflows is the real operational threat.

Is CVE-2025-5472 actively exploited?

No confirmed active exploitation of CVE-2025-5472 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-5472?

1. Upgrade llama-index-core to >= 0.12.38 — this is the definitive fix. 2. If patching is delayed, wrap JSONReader calls in a try/except block catching RecursionError and return a sanitized error response. 3. Pre-validate JSON nesting depth at ingestion boundaries before passing to LlamaIndex (implement a depth-counting pre-parser). 4. Enforce maximum document size and structural complexity limits at API or upload endpoints. 5. Set sys.setrecursionlimit defensively if using custom Python runtimes. 6. Monitor application logs for RecursionError occurrences as a detection signal for active exploitation attempts.

What systems are affected by CVE-2025-5472?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, LLM application backends.

What is the CVSS score for CVE-2025-5472?

CVE-2025-5472 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.34%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesdocument ingestion pipelinesagent frameworksLLM application backends

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: Clause 8.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.

Exploitation Scenario

An adversary targeting an AI-powered document processing service — such as a RAG knowledge base with a file upload endpoint or a LlamaIndex-backed API — submits a crafted JSON file containing 1000+ levels of nested objects (trivially generated, under 100KB). When the service processes the document, JSONReader's recursive traversal exhausts Python's call stack and raises an unhandled RecursionError, crashing the worker. In Kubernetes deployments with readiness probes and auto-restart, the attacker can repeat submissions to maintain a persistent degraded state. No authentication is required if the ingestion endpoint is public-facing.

Weaknesses (CWE)

CWE-674 Uncontrolled Recursion Primary

CWE-674 — Uncontrolled Recursion: The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

  • [Implementation] Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
  • [Implementation] Increase the stack size.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Timeline

Published
July 7, 2025
Last Modified
July 8, 2025
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2025-5302 8.6

llama-index: JSON parsing DoS via deep recursion

Same package: llama-index-core
HIGH CVE-2025-6209 7.5

llama_index: path traversal allows arbitrary file read

Same package: llama-index-core
HIGH CVE-2024-12704 7.5

llama-index: DoS via infinite loop in LangChain LLM

Same package: llama-index-core
HIGH CVE-2025-7647 7.3

llama-index-core: insecure /tmp dir, model theft risk

Same package: llama-index-core
MEDIUM CVE-2025-6208 5.3

llama-index-core: DoS causes service disruption

Same package: llama-index-core
Back to Threat Feed