Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-3225

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.

Published

2025-07-07T10:15:27.047

Last Modified

2025-07-30T21:24:40.497

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.0: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-776

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	llamaindex	llamaindex	< 0.12.29	Yes

References

https://github.com/run-llama/llama_index/commit/4f6ee062b19212106a2632af9c9521fc7f0a3584 Patch ([email protected])
https://huntr.com/bounties/e33c0699-e9a2-49aa-837b-5363205637a2 Exploit, Third Party Advisory ([email protected])