The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-3225

CVE-2025-3225: Llamaindex XML Entity Expansion DoS Flaw

CVE-2025-3225 is an XML Entity Expansion vulnerability in Llamaindex's sitemap parser that enables billion laughs attacks, exhausting system memory and causing crashes. This article covers technical details, affected versions, and patches.

Published: May 11, 2026

CVE-2025-3225 Overview

CVE-2025-3225 is an XML Entity Expansion vulnerability, commonly known as a "billion laughs" attack, in the sitemap parser of the run-llama/llama_index repository. The flaw affects version v0.12.21 and is resolved in v0.12.29. An attacker can supply a crafted Sitemap XML document containing nested entity references that expand exponentially during parsing. Processing this input exhausts system memory and can crash the host application. The vulnerability is classified under CWE-776 (Improper Restriction of Recursive Entity References in DTDs).

Critical Impact

Remote, unauthenticated attackers can trigger memory exhaustion and denial of service in any application embedding the vulnerable LlamaIndex sitemap reader.

Affected Products

  • LlamaIndex llama_index version v0.12.21
  • LlamaIndex readers package llama-index-readers-papers version 0.3.1
  • Applications using the vulnerable sitemap parser or PubMed reader components

Discovery Timeline

  • 2025-07-07 - CVE-2025-3225 published to the National Vulnerability Database
  • 2025-07-30 - Last updated in NVD database

Technical Details for CVE-2025-3225

Vulnerability Analysis

The vulnerability lives in XML parsing logic that relies on Python's standard xml.etree module. The standard library parser resolves entity references defined in the document without restricting recursion depth or expansion size. An attacker submits a Sitemap XML file containing a small set of entities, each referencing the previous entity multiple times. Parsing the document forces the interpreter to materialize an exponentially growing string in memory.

The LlamaIndex framework is widely embedded in retrieval-augmented generation (RAG) pipelines, where sitemap and document readers ingest external content. A pipeline that accepts a URL or file path from an untrusted source becomes a remote denial of service target. The result is process termination, container restarts, or full host instability when memory limits are absent.

Root Cause

The root cause is unsafe XML parsing using xml.etree.ElementTree without entity expansion protections. The library does not enforce limits on the number of entity expansions a single document may trigger. Maintainers fixed the flaw by switching to defusedxml, a hardened XML parsing library that blocks billion laughs, quadratic blowup, and external entity attacks by default.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker hosts a malicious Sitemap XML at a URL that a LlamaIndex-powered application later fetches, or submits the file directly through an exposed ingestion endpoint. Once parsing begins, memory usage grows until the process is killed by the operating system or container orchestrator.

python
# Patch: switch from xml.etree to defusedxml in PubmedReader
# File: llama-index-integrations/readers/llama-index-readers-papers/
#       llama_index/readers/papers/pubmed/base.py

from typing import List, Optional

from defusedxml import ElementTree as safe_xml
from llama_index.core.readers.base import BaseReader
from llama_index.core.schema import Document


class PubmedReader(BaseReader):
    """
    Pubmed Reader.

    Gets a search query, return a list of Documents of the top
    corresponding scientific papers on Pubmed.
    """

Source: run-llama/llama_index commit 4f6ee06

The patch replaces the standard xml.etree import with defusedxml.ElementTree, which rejects documents containing recursive entity definitions before expansion occurs.

Detection Methods for CVE-2025-3225

Indicators of Compromise

  • Sudden, sustained memory growth in Python processes hosting LlamaIndex workloads, followed by out-of-memory kills
  • Application or container restarts correlated with sitemap ingestion or PubMed reader activity
  • Inbound XML payloads containing nested <!ENTITY> declarations referencing other entities multiple times
  • Logs showing xml.etree.ElementTree parse calls immediately before process termination

Detection Strategies

  • Inspect application logs for stack traces originating in llama_index reader modules during XML parsing
  • Use a web application firewall or proxy rule to flag XML payloads that declare more than a small threshold of internal entities
  • Inventory installed Python packages and alert when llama-index is at or below v0.12.21 or llama-index-readers-papers is at 0.3.1

Monitoring Recommendations

  • Track per-process memory ceilings on hosts running LlamaIndex ingestion jobs and alert on rapid growth
  • Monitor container exit codes for OOMKilled events on RAG pipeline workloads
  • Capture network telemetry for outbound fetches of remote Sitemap XML URLs and correlate with parser crashes

How to Mitigate CVE-2025-3225

Immediate Actions Required

  • Upgrade llama-index to v0.12.29 or later across all environments running RAG pipelines
  • Upgrade llama-index-readers-papers to 0.3.2 or later, which adds the defusedxml dependency
  • Audit any custom readers in your codebase that parse XML and replace xml.etree with defusedxml
  • Treat all sitemap URLs and XML inputs as untrusted, even when supplied by internal users

Patch Information

The fix is published in commit 4f6ee06 and shipped in llama_index version v0.12.29. The patch introduces defusedxml as a required dependency and routes XML parsing through defusedxml.ElementTree, which blocks entity expansion attacks. Additional context is available in the Huntr bounty report.

Workarounds

  • Disable or remove the sitemap reader and PubMed reader components until upgrades are deployed
  • Place strict memory limits and restart policies on containers running LlamaIndex workers to contain impact
  • Use an upstream proxy to reject XML documents that declare internal entity references
bash
# Configuration example: pin patched versions and verify defusedxml is installed
pip install --upgrade "llama-index>=0.12.29" "llama-index-readers-papers>=0.3.2"
pip show defusedxml | grep -E "Name|Version"

# Apply a container memory cap to limit blast radius during ingestion
docker run --memory=2g --memory-swap=2g --restart=on-failure my-rag-app

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechLlamaindex
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.34%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-776
  • Technical References
  • Huntr Bounty Information
  • Vendor Resources
  • GitHub Commit Update
  • Related CVEs
  • CVE-2025-1752: Llamaindex Llamaindex DoS Vulnerability
  • CVE-2025-1753: Llamaindex CLI RCE Vulnerability
  • CVE-2025-1750: Llamaindex DuckDBVectorStore SQLi Vulnerability
  • CVE-2025-1793: Llamaindex SQL Injection Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English