CVE-2025-5302 Overview
CVE-2025-5302 is a denial of service vulnerability in the JSONReader component of the run-llama/llama_index repository. The flaw affects version v0.12.37 and stems from uncontrolled recursion when parsing deeply nested JSON files. An attacker who supplies a malicious JSON document can force the Python interpreter to hit its maximum recursion depth limit. This triggers high resource consumption and crashes the Python process consuming the input. The issue is resolved in version 0.12.38. The weakness maps to CWE-674: Uncontrolled Recursion.
Critical Impact
Remote, unauthenticated attackers can crash llama_index-based services by submitting deeply nested JSON, disrupting downstream LLM pipelines and ingestion workflows.
Affected Products
- run-llama/llama_index version v0.12.37
- Python applications using the JSONReader document loader
- LLM ingestion pipelines that accept untrusted JSON input via llama_index
Discovery Timeline
- 2025-08-25 - CVE-2025-5302 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-5302
Vulnerability Analysis
The JSONReader class in llama_index recursively walks JSON structures to extract textual content for downstream embedding and indexing. The traversal logic does not bound recursion depth or convert recursive descent into an iterative algorithm. When the reader encounters a JSON document with deeply nested objects or arrays, each level adds a frame to the Python call stack.
Python enforces a default recursion limit of 1000 frames. Crossing that limit raises RecursionError and terminates the executing thread or process. In service contexts, this aborts ingestion jobs, kills worker processes, and denies service to other tenants sharing the same runtime.
The attack succeeds without authentication when the application exposes JSON ingestion to external sources. Confidentiality and integrity exposure remain limited, but availability impact is high because a single small payload can recursively expand call depth and crash the host process.
Root Cause
The root cause is uncontrolled recursion [CWE-674] in the JSON traversal routine. The reader lacks a configurable maximum depth, depth counter, or guard clause that aborts parsing when nesting exceeds a safe threshold. The patch in commit c032843a02ce38fd8f284b2aa5a37fd1c17ae635 introduces bounded parsing logic to prevent stack exhaustion.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker crafts a JSON payload containing thousands of nested objects or arrays, for example {"a":{"a":{"a": ... }}}. The attacker submits the payload to any endpoint that feeds documents into JSONReader. The reader recurses through each level until Python raises RecursionError, terminating the worker.
See the GitHub commit fix and the Huntr bounty report for additional technical details.
Detection Methods for CVE-2025-5302
Indicators of Compromise
- RecursionError: maximum recursion depth exceeded entries in Python application logs originating from JSONReader or llama_index.readers.json
- Worker process crashes or restarts correlated with inbound JSON payloads
- Inbound JSON documents with abnormal nesting depth, often exceeding several hundred levels
Detection Strategies
- Inspect application logs for repeated RecursionError stack traces referencing llama_index modules
- Monitor llama_index package version inventories across Python environments and flag any host running 0.12.37 or earlier
- Add a pre-parse validator that measures JSON nesting depth before invoking JSONReader and logs rejections
Monitoring Recommendations
- Track Python worker crash rates and restart counts in process supervisors and orchestrators
- Alert on sudden spikes in JSON payload size or structural complexity reaching ingestion endpoints
- Capture and review request bodies that precede ingestion worker terminations for forensic analysis
How to Mitigate CVE-2025-5302
Immediate Actions Required
- Upgrade llama_index to version 0.12.38 or later across all Python environments
- Audit dependency manifests (requirements.txt, pyproject.toml, poetry.lock) for pinned versions at or below 0.12.37
- Restrict JSONReader exposure to trusted input sources until the upgrade is verified in production
Patch Information
The fix is committed in run-llama/llama_index commit c032843 and released in version 0.12.38. Upgrade with pip install --upgrade llama-index and redeploy affected services.
Workarounds
- Validate JSON nesting depth at the application boundary and reject documents exceeding a defined threshold such as 100 levels
- Run JSONReader workloads in isolated subprocesses with resource limits so a crash does not affect other tenants
- Raise the Python recursion limit with sys.setrecursionlimit() only as a temporary measure, paired with strict input validation
# Upgrade llama_index to the patched release
pip install --upgrade 'llama-index>=0.12.38'
# Verify installed version
python -c "import llama_index; print(llama_index.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
