Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-w42r-mrx7-c633

Опубликовано: 07 июл. 2025
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting the Papers Loaders package before version 0.3.2 (in llama-index v0.10.0 and above through v0.12.29). This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version 0.3.2 (in llama-index 0.12.29).

Ссылки

Пакеты

Наименование

llama-index-readers-papers

pip
Затронутые версииВерсия исправления

< 0.3.2

0.3.2

EPSS

Процентиль: 13%
0.00043
Низкий

7.5 High

CVSS3

CVE ID

CVE-2025-3225

Дефекты

CWE-776

Связанные уязвимости

redhat логотип

CVE-2025-3225

CVSS3: 5.3
redhat
около 1 месяца назад

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.

nvd логотип

CVE-2025-3225

CVSS3: 7.5
nvd
около 1 месяца назад

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.

fstec логотип

BDU:2025-09019

CVSS3: 7.5
fstec
около 1 месяца назад

Уязвимость фреймворка для работы с большими языковыми моделями (LLM) LlamaIndex, связанная с неправильным ограничением рекурсивных ссылок на сущности в DTD, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 13%
0.00043
Низкий

7.5 High

CVSS3

CVE ID

CVE-2025-3225

Дефекты

CWE-776