AI Threat Alert

CVE-2025-3225

GHSA-w42r-mrx7-c633 HIGH
Published July 7, 2025

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting the Papers Loaders package...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llama-index-readers-papers pip < 0.3.2 0.3.2

Do you use llama-index-readers-papers? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A

Recommended Action

Patch available

Update llama-index-readers-papers to version 0.3.2

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting the Papers Loaders package before version 0.3.2 (in llama-index v0.10.0 and above through v0.12.29). This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version 0.3.2 (in llama-index 0.12.29).

Weaknesses (CWE)

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
July 7, 2025
Last Modified
July 7, 2025
First Seen
March 24, 2026
Back to Threat Feed