CVE-2025-5302 — Vulnetix

CVE-2025-5302 PUBLISHED CVSS 8.600000381469727 HIGH

A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.

EPSS 0.05% · 17.4th percentile

Risk Scores

CVSS 3.0

8.600000381469727

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS Score

0.05%

17.4th percentile

Affected Products

Vendor	Product	Versions
PyPI	llama-index-core	0
run-llama	run-llama/llama_index	unspecified

Exploit Intelligence

CIRCL seen: CVE-2025-5302 (circl-sighting)
https://huntr.com/bounties/70041b81-de9e-4046-8c0e-6ccd557048a6 (circl)
https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635 (circl)

Timeline

Aug 25, 2025 CVE Published
Aug 25, 2025 CVE Updated
Aug 26, 2025 EPSS Score
Aug 26, 2025 Coalition ESS Score
Aug 26, 2025 PoC Published
Sep 3, 2025 EPSS Score
Sep 11, 2025 EPSS Score
Sep 18, 2025 EPSS Score
Sep 26, 2025 EPSS Score
Oct 4, 2025 EPSS Score
Oct 4, 2025 Coalition ESS Score
Oct 6, 2025 Coalition ESS Score

References

Open in Interactive Console →