CVE-2025-1752: 
LlamaIndex vulnerability analysis and mitigation

A Denial of Service (DoS) vulnerability (CVE-2025-1752) was identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, affecting version ~ latest(v0.12.15). The vulnerability was discovered on May 10, 2025, and stems from inappropriate secure coding measures in the getarticle_urls function. The vulnerability has been assigned a CVSS v3.0 base score of 7.5 (HIGH) (NVD, Wiz).

The vulnerability arises from the improper implementation of the maxdepth parameter in the getarticle_urls function within the KnowledgeBaseWebReader class. This implementation flaw allows attackers to exhaust Python's recursion limit through repeated function calls. The vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption) and has been assigned a CVSS v3.0 vector string of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Red Hat Security).

When successfully exploited, this vulnerability leads to resource consumption that ultimately results in crashing the Python process. This creates a denial of service condition, making the system unavailable to legitimate users (Wiz, NVD).

A fix has been implemented and is available through commit 3c65db2947271de3bd1927dc66a044da385de4da. The patch properly implements the maxdepth parameter to prevent recursive function calls from exceeding the limit ([Github Commit](https://github.com/run-llama/llamaindex/commit/3c65db2947271de3bd1927dc66a044da385de4da)).