CVE-2025-6208 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

If your organization uses LlamaIndex's SimpleDirectoryReader for document ingestion—particularly in RAG pipelines or agent workflows—patch to version 0.12.41 immediately. An unauthenticated attacker who can influence the directory path processed by this component can trigger memory exhaustion, taking down your ingestion service. The blast radius is availability-only, but in production RAG environments this translates to a downed knowledge base.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
llama-index-core	pip	< 0.12.41	`0.12.41`

Do you use llama-index-core? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade llama-index-core to >= 0.12.41. This is the definitive fix. 2. WORKAROUND (pre-patch): Enumerate directory contents and apply file count limits before invoking SimpleDirectoryReader; wrap calls in a subprocess with memory limits (ulimit -v or cgroup v2 memory.max). 3. ARCHITECTURAL: Never allow user-supplied paths to flow directly into SimpleDirectoryReader—validate, allowlist, and sandbox directory inputs. 4. DETECTION: Monitor for OOM events or sudden memory spikes in ingestion services; alert on processes hitting 80%+ container memory limits. 5. ISOLATION: Run document ingestion workers in separate pods/containers with hard memory limits and auto-restart policies to contain blast radius.

Classification

DoS Framework RAG AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring A.6.2.4 - AI System Resource Management

NIST AI RMF

MANAGE-2.2 - Incident Response and Recovery

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Technical Details

NVD Description

The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.

Exploitation Scenario

An adversary targets a SaaS platform exposing a document ingestion API backed by LlamaIndex. They create a directory or upload a ZIP archive containing thousands of small files (or reference a network share with a massive file tree), then invoke the ingestion endpoint with that path. SimpleDirectoryReader loads every file into memory before num_files_limit discards the excess—causing the ingestion worker to OOM-crash. In a shared-infrastructure deployment, repeated triggers constitute a resource exhaustion DoS that degrades service for all tenants. No authentication, no special knowledge of the model, and no sophisticated tooling required—a basic script iterating directory creation is sufficient.

Weaknesses (CWE)

CWE-400 Uncontrolled Resource Consumption Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published

February 2, 2026

Last Modified

February 2, 2026

First Seen

March 24, 2026