CVE-2025-1752 Overview
CVE-2025-1752 is a Denial of Service (DoS) vulnerability in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting versions up to and including v0.12.15. The flaw stems from the get_article_urls function failing to enforce the max_depth parameter during recursive crawling. An unauthenticated network attacker can exhaust Python's recursion limit through repeated function calls. This causes the Python process to crash, disrupting any service that relies on the affected reader. The issue is tracked as [CWE-674: Uncontrolled Recursion].
Critical Impact
Remote attackers can trigger uncontrolled recursion, exhausting Python's recursion limit and crashing the LlamaIndex worker process without authentication.
Affected Products
- run-llama/llama_index (llamaindex)
- llama-index-readers-web package versions through 0.3.5
- LlamaIndex versions up to and including v0.12.15
Discovery Timeline
- 2025-05-10 - CVE-2025-1752 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2025-1752
Vulnerability Analysis
The vulnerability resides in the KnowledgeBaseWebReader class within llama-index-integrations/readers/llama-index-readers-web/llama_index/readers/web/knowledge_base/base.py. The get_article_urls function recursively crawls a knowledge base to discover article URLs. While the function signature accepts a max_depth parameter, the original implementation never tracked the current recursion depth or compared it against the limit.
As a result, when the reader processes an attacker-controlled site containing dense link graphs or cyclic references, Python continues calling get_article_urls recursively until the interpreter's default recursion limit is reached. Once exceeded, Python raises RecursionError and terminates the worker.
Applications that embed LlamaIndex inside long-running services, such as retrieval-augmented generation (RAG) pipelines or autonomous agent frameworks, lose availability whenever the affected reader is invoked against hostile input.
Root Cause
The max_depth parameter was declared but unused. Without a depth counter passed between recursive calls, the function had no mechanism to terminate traversal. This is a classic uncontrolled recursion defect [CWE-674], where the depth-bounding control exists in the API contract but is absent from the implementation.
Attack Vector
The attack requires no authentication or user interaction. An attacker hosts a malicious web page or knowledge base that links to deeply nested or self-referential URLs. When a victim application invokes KnowledgeBaseWebReader against that target, recursion expands until the Python process crashes.
return {"title": title, "subtitle": subtitle, "body": body, "url": url}
def get_article_urls(
- self, browser: Any, root_url: str, current_url: str, max_depth: int = 100
+ self,
+ browser: Any,
+ root_url: str,
+ current_url: str,
+ max_depth: int = 100,
+ depth: int = 0,
) -> List[str]:
"""
Recursively crawl through the knowledge base to find a list of articles.
Source: run-llama/llama_index commit 3c65db2
Detection Methods for CVE-2025-1752
Indicators of Compromise
- Unexpected RecursionError exceptions in Python application logs originating from llama_index/readers/web/knowledge_base/base.py.
- Repeated worker process crashes or restarts coinciding with calls to KnowledgeBaseWebReader.
- Spikes in outbound HTTP requests from LlamaIndex hosts to a single external domain followed by process termination.
Detection Strategies
- Inventory Python environments for installed versions of llama-index-readers-web at or below 0.3.5, and any LlamaIndex deployment at or below v0.12.15.
- Instrument the get_article_urls call path with depth logging or stack-size telemetry to surface abnormal recursion.
- Review web reader inputs and validate that user-supplied URLs cannot be passed directly into KnowledgeBaseWebReader without sanitization.
Monitoring Recommendations
- Alert on RecursionError, MemoryError, or unexpected SIGKILL events in services that import llama_index.readers.web.
- Monitor outbound network traffic for crawl patterns directed at a single host, particularly when paired with worker restarts.
- Track package upgrades through software composition analysis to confirm patched versions are deployed across all environments.
How to Mitigate CVE-2025-1752
Immediate Actions Required
- Upgrade llama-index-readers-web to version 0.3.6 or later, which contains the fix from commit 3c65db2.
- Audit application code for any invocation of KnowledgeBaseWebReader exposed to untrusted URLs or user input.
- Apply input validation and allowlists to restrict which domains the reader may crawl.
Patch Information
The maintainers released the fix in run-llama/llama_index commit 3c65db2, shipped in llama-index-readers-web version 0.3.6. The patch introduces an explicit depth parameter that increments on each recursive call and terminates when it exceeds max_depth. Additional context is available in the Huntr Security Bounty report.
Workarounds
- If immediate upgrade is not possible, wrap calls to KnowledgeBaseWebReader in a subprocess with a hard timeout to contain crashes.
- Restrict the crawler to trusted internal knowledge bases via network egress controls.
- Lower Python's recursion limit through sys.setrecursionlimit to fail fast and contain resource consumption.
# Upgrade the affected package to the patched release
pip install --upgrade "llama-index-readers-web>=0.3.6"
# Verify installed version
pip show llama-index-readers-web | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
