Описание
A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.
A flaw was found in the JSONReader component of the llama_index Python package, where the _depth_first_yield function has no limit on the recursive number of times it is called. This vulnerability causes Python to reach its maximum recursive depth when parsing deeply nested JSON files. The program crashes, resulting in a Denial of Service. This process consumes significant CPU and memory resources while attempting to handle the nesting. This issue was fixed in version 0.12.38.
Отчет
This vulnerability is marked as Important rather than Moderate because it allows the attacker to potentially coordinate the attack through a network required over the whole user base of llama-index package. This DoS attack is easy to reproduce and only requires sending the malicious deeply nested JSON files which could be transmitted to lots of users of this package and trigger an uncontrolled recursion.
Меры по смягчению последствий
There is currently no available mitigation for this flaw. However, upgrading the llama_index package, once available, to the version 0.12.38 addresses this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/lightspeed-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/platform-resource-runner-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/aap-cloud-metrics-collector-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/ansible-dev-tools-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/de-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/de-minimal-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.
LlamaIndex affected by a Denial of Service (DOS) in JSONReader
EPSS
8.2 High
CVSS3