{"id":"CVE-2025-1752","details":"A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.","aliases":["GHSA-7c85-87cp-mr6g"],"modified":"2026-03-14T12:42:12.965897Z","published":"2025-05-10T14:15:32.523Z","references":[{"type":"FIX","url":"https://github.com/run-llama/llama_index/commit/3c65db2947271de3bd1927dc66a044da385de4da"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/run-llama/llama_index","events":[{"introduced":"0"},{"fixed":"bc4651e76c32e4f22f643c7fa1f3be5dda81f187"},{"fixed":"3c65db2947271de3bd1927dc66a044da385de4da"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.3.6"}]}}],"versions":["v0.10.0","v0.10.1","v0.10.10","v0.10.11","v0.10.12","v0.10.13","v0.10.13.post1","v0.10.14","v0.10.15","v0.10.16","v0.10.17","v0.10.18","v0.10.19","v0.10.20","v0.10.22","v0.10.23","v0.10.24","v0.10.25","v0.10.26","v0.10.27","v0.10.28","v0.10.28.post1","v0.10.29","v0.10.3","v0.10.30","v0.10.31","v0.10.32","v0.10.34","v0.10.35","v0.10.37","v0.10.38","v0.10.40","v0.10.41","v0.10.42","v0.10.43","v0.10.44","v0.10.47","v0.10.48","v0.10.48.post1","v0.10.49","v0.10.5","v0.10.50","v0.10.51","v0.10.52","v0.10.53","v0.10.54","v0.10.55","v0.10.57","v0.10.58","v0.10.59","v0.10.6","v0.10.60","v0.10.61","v0.10.62","v0.10.63","v0.10.66","v0.10.67","v0.10.67.post1","v0.10.68","v0.10.7","v0.10.8","v0.10.9","v0.11.0","v0.11.1","v0.11.10","v0.11.11","v0.11.12","v0.11.13","v0.11.14","v0.11.15","v0.11.16","v0.11.17","v0.11.17.post1","v0.11.18","v0.11.19","v0.11.2","v0.11.20","v0.11.21","v0.11.22","v0.11.23","v0.11.23.post1","v0.11.23.post2","v0.11.23.post3","v0.11.3","v0.11.4","v0.11.5","v0.11.6","v0.11.6.post1","v0.11.7","v0.11.8","v0.11.9","v0.12.0","v0.12.0.post1","v0.12.1","v0.12.10","v0.12.11","v0.12.12","v0.12.13","v0.12.13.post1","v0.12.14","v0.12.15","v0.12.16","v0.12.17","v0.12.17.post1","v0.12.17.post2","v0.12.18","v0.12.19","v0.12.2","v0.12.20","v0.12.3","v0.12.4","v0.12.5","v0.12.6","v0.12.7","v0.12.8","v0.12.9","v0.12.9.post1","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.6.0","v0.6.0.alpha1","v0.6.21","v0.6.3","v0.7.10","v0.7.11","v0.7.11.post1","v0.7.12","v0.7.13","v0.7.14","v0.7.19","v0.7.20","v0.7.24.post1","v0.7.9","v0.8.1.post1","v0.8.10","v0.8.11.post1","v0.8.11.post2","v0.8.11.post3","v0.8.2","v0.8.2.post1","v0.8.25","v0.8.29.post1","v0.8.3","v0.8.38","v0.8.4","v0.8.43","v0.8.43.post1","v0.8.45","v0.8.45.post1","v0.8.5.post1","v0.8.53.post1","v0.8.63.post1","v0.8.66","v0.8.69","v0.8.69.post1","v0.8.69.post2","v0.8.7","v0.9.0","v0.9.1","v0.9.10","v0.9.11.post1","v0.9.12","v0.9.14.post3","v0.9.15","v0.9.15.post1","v0.9.15.post2","v0.9.16.post1","v0.9.17.dev1","v0.9.22","v0.9.25","v0.9.26","v0.9.28","v0.9.28.post1","v0.9.28.post2","v0.9.29","v0.9.3","v0.9.3.post1","v0.9.31","v0.9.36","v0.9.37","v0.9.38","v0.9.39","v0.9.40","v0.9.41","v0.9.42","v0.9.42.post1","v0.9.42.post2","v0.9.45.post1","v0.9.46","v0.9.48","v0.9.5","v0.9.6","v0.9.6.post1","v0.9.6.post2","v0.9.7","v0.9.8","v0.9.8.post1","v0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1752.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}