PT-2025-28149 · Unknown · Llama Index
Masci
·
Published
2025-07-07
·
Updated
2025-07-30
·
CVE-2025-3225
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions:
llama index versions v0.12.21 through v0.12.28
Description:
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama index repository. This issue allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash.
Recommendations:
For versions v0.12.21 through v0.12.28, update to version v0.12.29 to resolve the issue.
Exploit
Fix
DoS
XML Entity Expansion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Llama Index