CVE-2025-6208 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

If your organization uses LlamaIndex's SimpleDirectoryReader for document ingestion—particularly in RAG pipelines or agent workflows—patch to version 0.12.41 immediately. An unauthenticated attacker who can influence the directory path processed by this component can trigger memory exhaustion, taking down your ingestion service. The blast radius is availability-only, but in production RAG environments this translates to a downed knowledge base.

Risk Assessment

Moderate operational risk for LlamaIndex-dependent deployments. CVSS 5.3 with AV:N/AC:L/PR:N/UI:N means zero friction to trigger remotely with no privileges—but impact is capped at partial availability loss (A:L). EPSS 0.00019 signals negligible exploitation activity in the wild as of publication. Risk escalates significantly when SimpleDirectoryReader processes attacker-controlled paths in multi-tenant SaaS, public-facing RAG APIs, or document processing pipelines without resource isolation. Not in CISA KEV; not yet weaponized.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index-core	pip	< 0.12.41	`0.12.41`
49.1K 1.1K dependents Pushed 8d ago 100% patched ~50d to patch Full package profile →

Do you use llama-index-core? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 6% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A Low

Recommended Action

5 steps

PATCH

Upgrade llama-index-core to >= 0.12.41. This is the definitive fix.
WORKAROUND (pre-patch): Enumerate directory contents and apply file count limits before invoking SimpleDirectoryReader; wrap calls in a subprocess with memory limits (ulimit -v or cgroup v2 memory.max).
ARCHITECTURAL

Never allow user-supplied paths to flow directly into SimpleDirectoryReader—validate, allowlist, and sandbox directory inputs.
DETECTION

Monitor for OOM events or sudden memory spikes in ingestion services; alert on processes hitting 80%+ container memory limits.
ISOLATION

Run document ingestion workers in separate pods/containers with hard memory limits and auto-restart policies to contain blast radius.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework RAG AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring A.6.2.4 - AI System Resource Management

NIST AI RMF

MANAGE-2.2 - Incident Response and Recovery

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-6208?

If your organization uses LlamaIndex's SimpleDirectoryReader for document ingestion—particularly in RAG pipelines or agent workflows—patch to version 0.12.41 immediately. An unauthenticated attacker who can influence the directory path processed by this component can trigger memory exhaustion, taking down your ingestion service. The blast radius is availability-only, but in production RAG environments this translates to a downed knowledge base.

Is CVE-2025-6208 actively exploited?

No confirmed active exploitation of CVE-2025-6208 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-6208?

1. PATCH: Upgrade llama-index-core to >= 0.12.41. This is the definitive fix. 2. WORKAROUND (pre-patch): Enumerate directory contents and apply file count limits before invoking SimpleDirectoryReader; wrap calls in a subprocess with memory limits (ulimit -v or cgroup v2 memory.max). 3. ARCHITECTURAL: Never allow user-supplied paths to flow directly into SimpleDirectoryReader—validate, allowlist, and sandbox directory inputs. 4. DETECTION: Monitor for OOM events or sudden memory spikes in ingestion services; alert on processes hitting 80%+ container memory limits. 5. ISOLATION: Run document ingestion workers in separate pods/containers with hard memory limits and auto-restart policies to contain blast radius.

What systems are affected by CVE-2025-6208?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, knowledge base hydration workflows.

What is the CVSS score for CVE-2025-6208?

CVE-2025-6208 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.

Exploitation Scenario

An adversary targets a SaaS platform exposing a document ingestion API backed by LlamaIndex. They create a directory or upload a ZIP archive containing thousands of small files (or reference a network share with a massive file tree), then invoke the ingestion endpoint with that path. SimpleDirectoryReader loads every file into memory before num_files_limit discards the excess—causing the ingestion worker to OOM-crash. In a shared-infrastructure deployment, repeated triggers constitute a resource exhaustion DoS that degrades service for all tenants. No authentication, no special knowledge of the model, and no sophisticated tooling required—a basic script iterating directory creation is sufficient.