Описание
The SimpleDirectoryReader component in llama_index.core version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (num_files_limit) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.
A flaw was found in llama_index. The SimpleDirectoryReader component loads all files from a specified directory into memory before applying a user-defined file limit. This resource management flaw allows an attacker to cause uncontrolled memory consumption. This can lead to memory exhaustion and degraded performance, resulting in a Denial of Service (DoS) for systems utilizing the affected component.
Отчет
This MODERATE impact flaw in llama_index affects Red Hat Ansible Automation Platform and OpenShift Lightspeed. The SimpleDirectoryReader component loads all files from a specified directory into memory before applying any user-defined file limits. This can lead to uncontrolled memory consumption, potentially causing a Denial of Service due to memory exhaustion and degraded performance in resource-constrained environments.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.
llama-index-core vulnerable to Uncontrolled Resource Consumption
EPSS
5.3 Medium
CVSS3