CVE-2025-3225
Published: 07 July 2025
Summary
CVE-2025-3225 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20207
Vulnerability details
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial…
more
of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XML Entity Expansion (billion laughs) in sitemap parser enables memory exhaustion DoS via application exploitation.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.