Bug 2390808 (CVE-2025-5302)
| Summary: | CVE-2025-5302 llama_index: Denial of Service (DOS) in JSONReader in run-llama/llama_index | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | haoli, hkataria, jajackso, jcammara, jmitchel, jneedle, kegrant, koliveir, kshier, mabashia, pbraun, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the JSONReader component of the llama_index Python package, where the _depth_first_yield function has no limit on the recursive number of times it is called. This vulnerability causes Python to reach its maximum recursive depth when parsing deeply nested JSON files. The program crashes, resulting in a Denial of Service. This process consumes significant CPU and memory resources while attempting to handle the nesting. This issue was fixed in version 0.12.38.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-08-25 16:01:44 UTC
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2025:16514 https://access.redhat.com/errata/RHSA-2025:16514 |