{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0.12.21"
              },
              {
                "fixed": "0.12.29"
              }
            ]
          },
          "events": [
            {
              "introduced": "663e663e869889afdb4bfadde06fed306586d29e"
            },
            {
              "fixed": "b79bf64d9a8eb79a00df950172781a65073521a6"
            },
            {
              "fixed": "4f6ee062b19212106a2632af9c9521fc7f0a3584"
            }
          ],
          "repo": "https://github.com/run-llama/llama_index",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.",
  "id": "CVE-2025-3225",
  "modified": "2026-03-10T21:48:23.582695939Z",
  "published": "2025-07-07T10:15:27.047Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/run-llama/llama_index/commit/4f6ee062b19212106a2632af9c9521fc7f0a3584"
    },
    {
      "type": "EVIDENCE",
      "url": "https://huntr.com/bounties/e33c0699-e9a2-49aa-837b-5363205637a2"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}