CVE-2025-5302 Overview
CVE-2025-5302 is an uncontrolled recursion vulnerability [CWE-674] in the JSONReader component of the run-llama/llama_index repository. The flaw affects version v0.12.37 and is triggered when the reader parses deeply nested JSON files. Python reaches its maximum recursion depth limit during traversal, causing high resource consumption and crashes of the Python process. The issue is fixed in version 0.12.38.
The vulnerability is remotely exploitable without authentication or user interaction, making any application that ingests untrusted JSON through JSONReader susceptible to denial of service.
Critical Impact
An unauthenticated attacker can crash Python processes that load llama_index JSONReader by submitting maliciously nested JSON, disrupting AI/LLM application availability.
Affected Products
- run-llama/llama_index version v0.12.37
- Applications embedding the JSONReader document loader from llama_index
- LLM data ingestion pipelines built on affected llama_index releases
Discovery Timeline
- 2025-08-25 - CVE-2025-5302 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-5302
Vulnerability Analysis
The JSONReader component in llama_index parses JSON documents to ingest data into LLM pipelines. The parser walks nested JSON structures using recursive function calls. When the input contains deeply nested arrays or objects, each level adds a frame to the Python call stack.
Python enforces a default recursion limit, typically 1000 frames. Crafted JSON that exceeds this limit triggers a RecursionError and consumes CPU and memory before failing. The result is a process crash or unresponsive ingestion worker, breaking the availability of LLM applications relying on the loader.
The weakness falls under [CWE-674: Uncontrolled Recursion]. The component does not bound recursion depth or convert traversal to an iterative algorithm before invoking the parser on user-controlled input.
Root Cause
The parsing logic in JSONReader recurses into every nested element without depth tracking or limits. The component trusts the structural depth of input JSON, exposing the Python interpreter's stack as an attack surface. The fix in version 0.12.38 introduces depth handling to prevent unbounded recursion.
Attack Vector
An attacker supplies a JSON document with thousands of nested arrays or objects to any endpoint or workflow that feeds data into JSONReader. This includes file uploads, retrieval-augmented generation (RAG) pipelines, webhook receivers, and document ingestion APIs. No credentials or user interaction are required when ingestion is exposed to untrusted input.
The vulnerability mechanism involves submitting JSON such as a chain of opened brackets ([[[[...]]]) deep enough to exceed Python's recursion limit. See the Huntr bounty report and the upstream commit for technical details.
Detection Methods for CVE-2025-5302
Indicators of Compromise
- Python RecursionError: maximum recursion depth exceeded entries in application logs originating from llama_index modules.
- Repeated crashes or restarts of ingestion workers shortly after JSON file uploads or external data fetches.
- Spikes in CPU and memory usage on hosts running llama_index JSONReader during document ingestion.
Detection Strategies
- Inventory installed llama_index versions across Python environments and flag any host running 0.12.37 or earlier.
- Inspect ingestion logs for stack traces referencing JSONReader and recursion exhaustion.
- Add structural validation that measures JSON nesting depth at the application boundary and alerts when input exceeds expected thresholds.
Monitoring Recommendations
- Monitor process exit codes and OOM events on services hosting LLM pipelines using llama_index.
- Track latency and error rates on document ingestion endpoints to identify abusive submissions.
- Correlate unusual JSON payload sizes and depths with subsequent worker restarts in centralized logging.
How to Mitigate CVE-2025-5302
Immediate Actions Required
- Upgrade llama_index to version 0.12.38 or later in all environments using JSONReader.
- Restrict ingestion endpoints to authenticated users until the upgrade is validated.
- Validate and reject JSON inputs that exceed a defined nesting depth before they reach JSONReader.
Patch Information
The issue is resolved in llama_index version 0.12.38. The upstream fix is recorded in commit c032843a02ce38fd8f284b2aa5a37fd1c17ae635. Update package manifests, container images, and CI/CD pipelines that pin the vulnerable release.
Workarounds
- Pre-validate JSON payloads with a depth-limited parser before passing them to JSONReader.
- Run ingestion workers under strict resource limits (memory, CPU, restart policies) to contain crashes.
- Increase isolation by processing untrusted JSON in short-lived sandboxed workers separated from production services.
# Configuration example
pip install --upgrade "llama-index>=0.12.38"
pip show llama-index | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
