CVE-2025-5302: LlamaIndex affected by a Denial of Service (DOS) in JSONReader

August 26, 2025

A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.

References

github.com/advisories/GHSA-7753-xrfw-ch36
github.com/run-llama/llama_index
github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635
huntr.com/bounties/70041b81-de9e-4046-8c0e-6ccd557048a6
nvd.nist.gov/vuln/detail/CVE-2025-5302

Code Behaviors & Features

Detect and mitigate CVE-2025-5302 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →