{"url":"http://public2.vulnerablecode.io/api/packages/730152?format=json","purl":"pkg:pypi/llama-index-core@0.10.5a2","type":"pypi","namespace":"","name":"llama-index-core","version":"0.10.5a2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.13.0","latest_non_vulnerable_version":"0.13.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47893?format=json","vulnerability_id":"VCID-2uu5-wfcf-2yez","summary":"llama-index-core insecurely handles temporary files\nThe llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded directory path `/tmp/llama_index` is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct symlink attacks. The issue affects all Linux deployments where multiple users share the same system. The vulnerability is classified under CWE-379, CWE-377, and CWE-367, indicating insecure temporary file creation and potential race conditions.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7647.json","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7647.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7647","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06019","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06058","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06046","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06043","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05994","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7647"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-29T19:26:13Z/"}],"url":"https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4"},{"reference_url":"https://huntr.com/bounties/a2baa08f-98bf-47a8-ac83-06f7411afd9e","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-29T19:26:13Z/"}],"url":"https://huntr.com/bounties/a2baa08f-98bf-47a8-ac83-06f7411afd9e"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2399917","reference_id":"2399917","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2399917"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7647","reference_id":"CVE-2025-7647","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7647"},{"reference_url":"https://github.com/advisories/GHSA-cr7q-2w66-hjcm","reference_id":"GHSA-cr7q-2w66-hjcm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cr7q-2w66-hjcm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:18984","reference_id":"RHSA-2025:18984","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:18984"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70655?format=json","purl":"pkg:pypi/llama-index-core@0.13.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.13.0"}],"aliases":["CVE-2025-7647","GHSA-cr7q-2w66-hjcm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2uu5-wfcf-2yez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36857?format=json","vulnerability_id":"VCID-7fnz-sag8-nfe6","summary":"An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45201.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45201.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45201","reference_id":"","reference_type":"","scores":[{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43748","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43738","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43787","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43772","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00212","scoring_system":"epss","scoring_elements":"0.43796","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45201"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-192.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2024-192.yaml"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/bd827c30484fa085ec769fa55dc7f2add8006ac8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index/commit/bd827c30484fa085ec769fa55dc7f2add8006ac8"},{"reference_url":"https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-25T18:18:17Z/"}],"url":"https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38"},{"reference_url":"https://github.com/run-llama/llama_index/pull/13523","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-25T18:18:17Z/"}],"url":"https://github.com/run-llama/llama_index/pull/13523"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2307415","reference_id":"2307415","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2307415"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45201","reference_id":"CVE-2024-45201","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45201"},{"reference_url":"https://github.com/advisories/GHSA-fxc2-8m62-m85x","reference_id":"GHSA-fxc2-8m62-m85x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxc2-8m62-m85x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82451?format=json","purl":"pkg:pypi/llama-index-core@0.10.38","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uu5-wfcf-2yez"},{"vulnerability":"VCID-gcws-xpsx-q7gc"},{"vulnerability":"VCID-pgec-vz8n-fbe4"},{"vulnerability":"VCID-smmt-kn7c-6bbk"},{"vulnerability":"VCID-x55m-uhum-x3hv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.10.38"}],"aliases":["CVE-2024-45201","GHSA-fxc2-8m62-m85x","PYSEC-2024-192"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7fnz-sag8-nfe6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47494?format=json","vulnerability_id":"VCID-dypf-2z8m-hye8","summary":"llama-index-core Command Injection vulnerability\nA command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3271","reference_id":"","reference_type":"","scores":[{"value":"0.01239","scoring_system":"epss","scoring_elements":"0.79603","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01239","scoring_system":"epss","scoring_elements":"0.79606","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01239","scoring_system":"epss","scoring_elements":"0.79588","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01239","scoring_system":"epss","scoring_elements":"0.79598","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3271"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/2c92e88838a5f481d50840240b1dd3180066c6f5","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index/commit/2c92e88838a5f481d50840240b1dd3180066c6f5"},{"reference_url":"https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-13T19:12:23Z/"}],"url":"https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475"},{"reference_url":"https://huntr.com/bounties/9b32490e-7cf9-470e-8d49-ba083ae7a279","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-13T19:12:23Z/"}],"url":"https://huntr.com/bounties/9b32490e-7cf9-470e-8d49-ba083ae7a279"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3271","reference_id":"CVE-2024-3271","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3271"},{"reference_url":"https://github.com/advisories/GHSA-r6gp-rff2-p3hf","reference_id":"GHSA-r6gp-rff2-p3hf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r6gp-rff2-p3hf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69720?format=json","purl":"pkg:pypi/llama-index-core@0.10.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uu5-wfcf-2yez"},{"vulnerability":"VCID-7fnz-sag8-nfe6"},{"vulnerability":"VCID-gcws-xpsx-q7gc"},{"vulnerability":"VCID-pgec-vz8n-fbe4"},{"vulnerability":"VCID-smmt-kn7c-6bbk"},{"vulnerability":"VCID-x55m-uhum-x3hv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.10.24"}],"aliases":["CVE-2024-3271","GHSA-r6gp-rff2-p3hf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dypf-2z8m-hye8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49925?format=json","vulnerability_id":"VCID-gcws-xpsx-q7gc","summary":"llama-index-core vulnerable to Uncontrolled Resource Consumption\nThe `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6208.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6208.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6208","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06893","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06932","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06937","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06922","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06885","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6208"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-02T17:46:45Z/"}],"url":"https://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2"},{"reference_url":"https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-02T17:46:45Z/"}],"url":"https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435932","reference_id":"2435932","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435932"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6208","reference_id":"CVE-2025-6208","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6208"},{"reference_url":"https://github.com/advisories/GHSA-488g-hw5f-x29p","reference_id":"GHSA-488g-hw5f-x29p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-488g-hw5f-x29p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73779?format=json","purl":"pkg:pypi/llama-index-core@0.12.41","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uu5-wfcf-2yez"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.12.41"}],"aliases":["CVE-2025-6208","GHSA-488g-hw5f-x29p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gcws-xpsx-q7gc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56894?format=json","vulnerability_id":"VCID-pgec-vz8n-fbe4","summary":"LlamaIndex Improper Handling of Exceptional Conditions vulnerability\nA vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12704","reference_id":"","reference_type":"","scores":[{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57854","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57838","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57852","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57863","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12704"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/"}],"url":"https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05"},{"reference_url":"https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/"}],"url":"https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2353770","reference_id":"2353770","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2353770"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12704","reference_id":"CVE-2024-12704","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12704"},{"reference_url":"https://github.com/advisories/GHSA-j3wr-m6xh-64hg","reference_id":"GHSA-j3wr-m6xh-64hg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j3wr-m6xh-64hg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84497?format=json","purl":"pkg:pypi/llama-index-core@0.12.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uu5-wfcf-2yez"},{"vulnerability":"VCID-53cx-ddxf-vfde"},{"vulnerability":"VCID-gcws-xpsx-q7gc"},{"vulnerability":"VCID-smmt-kn7c-6bbk"},{"vulnerability":"VCID-x55m-uhum-x3hv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.12.6"}],"aliases":["CVE-2024-12704","GHSA-j3wr-m6xh-64hg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pgec-vz8n-fbe4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57576?format=json","vulnerability_id":"VCID-smmt-kn7c-6bbk","summary":"LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing\nThe JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5472.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5472.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5472","reference_id":"","reference_type":"","scores":[{"value":"0.00162","scoring_system":"epss","scoring_elements":"0.3684","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00162","scoring_system":"epss","scoring_elements":"0.36895","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00162","scoring_system":"epss","scoring_elements":"0.36901","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00162","scoring_system":"epss","scoring_elements":"0.36866","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00162","scoring_system":"epss","scoring_elements":"0.36827","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5472"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T11:17:19Z/"}],"url":"https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635"},{"reference_url":"https://huntr.com/bounties/df187bda-7911-4823-a19a-e15b2c66b0d4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T11:17:19Z/"}],"url":"https://huntr.com/bounties/df187bda-7911-4823-a19a-e15b2c66b0d4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376769","reference_id":"2376769","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376769"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5472","reference_id":"CVE-2025-5472","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5472"},{"reference_url":"https://github.com/advisories/GHSA-3wxx-q3gv-pvvv","reference_id":"GHSA-3wxx-q3gv-pvvv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3wxx-q3gv-pvvv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85633?format=json","purl":"pkg:pypi/llama-index-core@0.12.38","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uu5-wfcf-2yez"},{"vulnerability":"VCID-53cx-ddxf-vfde"},{"vulnerability":"VCID-gcws-xpsx-q7gc"},{"vulnerability":"VCID-pwa9-7xgw-vkgu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.12.38"}],"aliases":["CVE-2025-5472","GHSA-3wxx-q3gv-pvvv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-smmt-kn7c-6bbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47445?format=json","vulnerability_id":"VCID-tepn-ysj4-pbdh","summary":"llama-index-core Prompt Injection vulnerability leading to Arbitrary Code Execution\nA vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploiting the flaw.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3098","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34803","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.3477","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34749","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34784","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.3482","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3098"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/2c92e88838a5f481d50840240b1dd3180066c6f5","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index/commit/2c92e88838a5f481d50840240b1dd3180066c6f5"},{"reference_url":"https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-07-25T19:07:30Z/"}],"url":"https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475"},{"reference_url":"https://huntr.com/bounties/1bce0d61-ad03-4b22-bc32-8f99f92974e7","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-07-25T19:07:30Z/"}],"url":"https://huntr.com/bounties/1bce0d61-ad03-4b22-bc32-8f99f92974e7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3098","reference_id":"CVE-2024-3098","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3098"},{"reference_url":"https://github.com/advisories/GHSA-wvpx-g427-q9wc","reference_id":"GHSA-wvpx-g427-q9wc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wvpx-g427-q9wc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69720?format=json","purl":"pkg:pypi/llama-index-core@0.10.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uu5-wfcf-2yez"},{"vulnerability":"VCID-7fnz-sag8-nfe6"},{"vulnerability":"VCID-gcws-xpsx-q7gc"},{"vulnerability":"VCID-pgec-vz8n-fbe4"},{"vulnerability":"VCID-smmt-kn7c-6bbk"},{"vulnerability":"VCID-x55m-uhum-x3hv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.10.24"}],"aliases":["CVE-2024-3098","GHSA-wvpx-g427-q9wc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tepn-ysj4-pbdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57994?format=json","vulnerability_id":"VCID-x55m-uhum-x3hv","summary":"LlamaIndex affected by a Denial of Service (DOS) in JSONReader\nA denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5302.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5302.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5302","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17282","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17385","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.1738","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17344","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17264","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5302"},{"reference_url":"https://github.com/run-llama/llama_index","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/run-llama/llama_index"},{"reference_url":"https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-25T15:40:17Z/"}],"url":"https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635"},{"reference_url":"https://huntr.com/bounties/70041b81-de9e-4046-8c0e-6ccd557048a6","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-25T15:40:17Z/"}],"url":"https://huntr.com/bounties/70041b81-de9e-4046-8c0e-6ccd557048a6"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2390808","reference_id":"2390808","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2390808"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5302","reference_id":"CVE-2025-5302","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5302"},{"reference_url":"https://github.com/advisories/GHSA-7753-xrfw-ch36","reference_id":"GHSA-7753-xrfw-ch36","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7753-xrfw-ch36"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:16514","reference_id":"RHSA-2025:16514","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:16514"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85633?format=json","purl":"pkg:pypi/llama-index-core@0.12.38","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2uu5-wfcf-2yez"},{"vulnerability":"VCID-53cx-ddxf-vfde"},{"vulnerability":"VCID-gcws-xpsx-q7gc"},{"vulnerability":"VCID-pwa9-7xgw-vkgu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.12.38"}],"aliases":["CVE-2025-5302","GHSA-7753-xrfw-ch36"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x55m-uhum-x3hv"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index-core@0.10.5a2"}