{"id":"CVE-2025-3225","details":"An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.","aliases":["GHSA-w42r-mrx7-c633"],"modified":"2026-04-10T05:25:07.790279Z","published":"2025-07-07T10:15:27.047Z","references":[{"type":"FIX","url":"https://github.com/run-llama/llama_index/commit/4f6ee062b19212106a2632af9c9521fc7f0a3584"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/e33c0699-e9a2-49aa-837b-5363205637a2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/run-llama/llama_index","events":[{"introduced":"663e663e869889afdb4bfadde06fed306586d29e"},{"fixed":"b79bf64d9a8eb79a00df950172781a65073521a6"},{"fixed":"4f6ee062b19212106a2632af9c9521fc7f0a3584"}],"database_specific":{"versions":[{"introduced":"0.12.21"},{"fixed":"0.12.29"}]}}],"versions":["v0.12.21","v0.12.22","v0.12.22.post1","v0.12.23","v0.12.24","v0.12.24.post1","v0.12.24.post2","v0.12.25","v0.12.26","v0.12.27","v0.12.28"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3225.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}