AIKIDO-2025-10339
llama-index-core is vulnerable to Uncontrolled Resource Consumption
65
Medium Risk
This Affects:
llama-index-coreTL;DR
Affected versions of this package fail to enforce a maximum recursion depth when parsing deeply nested JSON objects, making them vulnerable to a denial-of-service (DoS) attack. The code reads JSON data from a file but lacks a max_depth parameter and proper exception handling, which could lead to excessive recursion, potentially triggering Python's recursion limit and causing the application to crash. An attacker could exploit this by submitting a maliciously crafted JSON file with extreme levels of nesting, causing the system to consume excessive CPU and memory resources or terminate unexpectedly.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
llama-index-core is vulnerable to Uncontrolled Resource Consumption in versions 0.8.39 - 0.12.37.
How to fix this
Upgrade the llama-index-core library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant