Bug 2435932 (CVE-2025-6208)

Summary:	CVE-2025-6208 llama_index: llama_index: Denial of Service due to uncontrolled memory consumption in SimpleDirectoryReader
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	anpicker, bparees, hasun, jfula, jowilson, jwong, kshier, nyancey, omaciel, ometelka, ptisnovs, stcannon, syedriko, teagle, ttakamiy, xdharmai
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in llama_index. The `SimpleDirectoryReader` component loads all files from a specified directory into memory before applying a user-defined file limit. This resource management flaw allows an attacker to cause uncontrolled memory consumption. This can lead to memory exhaustion and degraded performance, resulting in a Denial of Service (DoS) for systems utilizing the affected component.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-02 11:01:23 UTC

The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.