CVE-2025-3225
published 2025-07-07CVE-2025-3225: An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository…
PriorityP340high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
0.41%
33.3th percentile
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| llamaindex | llamaindex | >= 0.12.21 < 0.12.29 | 0.12.29 |
| run-llama | run-llama_llama_index | >= unspecified < v0.12.29 | v0.12.29 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
ghsa·2025-07-07
CVE-2025-3225 [HIGH] CWE-776 LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting the Papers Loaders package before version 0.3.2 (in llama-index v0.10.0 and above through v0.12.29). This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version 0.3.2 (in llama-index 0.12.29).
OSV
LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
osv·2025-07-07
CVE-2025-3225 [HIGH] LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting the Papers Loaders package before version 0.3.2 (in llama-index v0.10.0 and above through v0.12.29). This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version 0.3.2 (in llama-index 0.12.29).
Red Hat
llama-index: XML Entity Expansion in llama_index
vendor_redhat·2025-07-07·CVSS 7.5
CVE-2025-3225 [HIGH] CWE-776 llama-index: XML Entity Expansion in llama_index
llama-index: XML Entity Expansion in llama_index
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.
An XML Entity Expansion vulnerability has been discovered in llama_index. The sitemap parser does not properly handle XML parsing and may be subject to an attack known as a 'billion laughs' attack. This may lead to a denial of service in the running process.
Mitigation: Mitigation for this issue is either not available or the currentl
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-07
Published