CVE-2025-5472

Advisory

Affected versions of the LlamaIndex package are vulnerable to Denial of Service (DoS) due to insufficient recursion depth handling in the JSON parser. The `load_data()` function in the `JSONReader` class fails to protect against deeply nested or circular JSON structures during data processing, allowing unbounded recursion depth.

A remote attacker can exploit this vulnerability by providing a maliciously crafted JSON file with excessively nested objects or arrays, causing a stack overflow and denial of service through RecursionError exceptions.

The vulnerability was fixed by implementing exception handling that catches RecursionError during JSON processing (`except RecursionError: ') and gracefully returns an empty document list instead of crashing the application. The fix also adds a warning message to alert users when recursion limits are exceeded during JSON parsing.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635
• https://github.com/advisories/GHSA-3wxx-q3gv-pvvv
• https://huntr.com/bounties/df187bda-7911-4823-a19a-e15b2c66b0d4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5472