7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-1752

GHSA ID

GHSA-7c85-87cp-mr6g

EPSS Score

0.41005%

CWE

CWE-400

Published

5/10/2025

Updated

5/12/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-1752

CVE-2025-1752: LlamaIndex Vulnerable to Denial of Service (DoS)

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-1752

GHSA ID

GHSA-7c85-87cp-mr6g

EPSS Score

0.41005%

CWE

CWE-400

Published

5/10/2025

Updated

5/12/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
llama-index	pip	>= 0.12.15, < 0.12.21	0.12.21

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly names the KnowledgeBaseWebReader class and its get_article_urls function as the source of the DoS vulnerability due to improper handling of the max_depth parameter, leading to uncontrolled recursion. The provided commit 3c65db2947271de3bd1927dc66a044da385de4da directly addresses this issue by modifying the get_article_urls function. The patch introduces a depth parameter to track the current recursion level and adds a condition to stop recursion if depth reaches max_depth. This confirms that the get_article_urls function, prior to this patch, was the vulnerable function. The full namespace is derived from the file path and class structure typical in Python projects.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **ni*l o* S*rvi** (*oS) vuln*r**ility **s ***n i**nti*i** in t** Knowl******s*W**R****r *l*ss o* t** run-ll*m*/ll*m*_in**x proj**t, *****tin* v*rsion ~ l*t*st(v*.**.**). T** vuln*r**ility *ris*s *u* to in*ppropri*t* s**ur* *o*in* m**sur*s, sp**i*i*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly n*m*s t** `Knowl******s*W**R****r` *l*ss *n* its `**t_*rti*l*_urls` *un*tion *s t** sour** o* t** *oS vuln*r**ility *u* to improp*r **n*lin* o* t** `m*x_**pt*` p*r*m*t*r, l***in* to un*ontroll** r**ursion. T**

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-1752: LlamaIndex Vulnerable to Denial of Service (DoS)

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI