CVE-2025-5472 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

If your team uses LlamaIndex for document ingestion, upgrade llama-index-core to 0.12.38 immediately. Any service processing untrusted JSON through JSONReader is vulnerable to a crash via crafted deeply-nested payloads. No data exposure risk, but availability disruption in RAG or agentic workflows is the real operational threat.

Risk Assessment

Low-to-medium operational risk in practice. CVSS 6.5 with availability-only impact and negligible active exploitation signal (EPSS 0.0005, absent from CISA KEV). However, the attack surface is realistic: RAG pipelines that ingest external or user-supplied JSON files are common, and the exploit requires nothing more than a crafted text file. The trivial attack complexity partially offsets the low severity rating in high-exposure, document-heavy deployments. Self-healing infrastructure (auto-restart pods) reduces persistent impact but enables sustained disruption with minimal attacker cost.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index-core	pip	< 0.12.38	`0.12.38`
49.1K 1.1K dependents Pushed 8d ago 100% patched ~50d to patch Full package profile →

Do you use llama-index-core? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I None

A High

Recommended Action

6 steps

Upgrade llama-index-core to >= 0.12.38 — this is the definitive fix.
If patching is delayed, wrap JSONReader calls in a try/except block catching RecursionError and return a sanitized error response.
Pre-validate JSON nesting depth at ingestion boundaries before passing to LlamaIndex (implement a depth-counting pre-parser).
Enforce maximum document size and structural complexity limits at API or upload endpoints.
Set sys.setrecursionlimit defensively if using custom Python runtimes.
Monitor application logs for RecursionError occurrences as a detection signal for active exploitation attempts.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

Clause 8.3 - AI Risk Treatment

NIST AI RMF

MANAGE 2.2 - Risk Response — Residual Risks from AI Deployment

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-5472?

If your team uses LlamaIndex for document ingestion, upgrade llama-index-core to 0.12.38 immediately. Any service processing untrusted JSON through JSONReader is vulnerable to a crash via crafted deeply-nested payloads. No data exposure risk, but availability disruption in RAG or agentic workflows is the real operational threat.

Is CVE-2025-5472 actively exploited?

No confirmed active exploitation of CVE-2025-5472 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-5472?

1. Upgrade llama-index-core to >= 0.12.38 — this is the definitive fix. 2. If patching is delayed, wrap JSONReader calls in a try/except block catching RecursionError and return a sanitized error response. 3. Pre-validate JSON nesting depth at ingestion boundaries before passing to LlamaIndex (implement a depth-counting pre-parser). 4. Enforce maximum document size and structural complexity limits at API or upload endpoints. 5. Set sys.setrecursionlimit defensively if using custom Python runtimes. 6. Monitor application logs for RecursionError occurrences as a detection signal for active exploitation attempts.

What systems are affected by CVE-2025-5472?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, LLM application backends.

What is the CVSS score for CVE-2025-5472?

CVE-2025-5472 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.16%.

Technical Details

NVD Description

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.

Exploitation Scenario

An adversary targeting an AI-powered document processing service — such as a RAG knowledge base with a file upload endpoint or a LlamaIndex-backed API — submits a crafted JSON file containing 1000+ levels of nested objects (trivially generated, under 100KB). When the service processes the document, JSONReader's recursive traversal exhausts Python's call stack and raises an unhandled RecursionError, crashing the worker. In Kubernetes deployments with readiness probes and auto-restart, the attacker can repeat submissions to maintain a persistent degraded state. No authentication is required if the ingestion endpoint is public-facing.