PT-2025-12157 · Run Llama · Llama Index

Published

2025-03-20

Updated

2025-03-21

CVE-2024-12910

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions run-llama/llama index version latest

Description A Denial of Service (DoS) issue exists due to infinite recursive calls to the get article urls method when a URL variable is controlled to contain the root URL, potentially exhausting system resources and crashing the application. This is caused by a vulnerability in the KnowledgeBaseWebReader class.

Recommendations As a temporary workaround, consider disabling the get article urls method until a patch is available. Restrict access to the KnowledgeBaseWebReader class to minimize the risk of exploitation. Avoid using the URL variable to contain the root URL in the affected API endpoint until the issue is resolved.

Exploit

Fix

DoS

Uncontrolled Recursion

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674CWE-400

Related Identifiers

CVE-2024-12910

GHSA-JVPF-XF32-2W4Q

PYSEC-2025-11

Affected Products

Llama Index

PT-2025-12157 · Run Llama · Llama Index

CVE-2024-12910

Weakness Enumeration

Related Identifiers

Affected Products

References · 9