Uncontrolled Memory Consumption in run-llama/llama_index_CVE-2025-6208

5.3 / 10

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.

Basic Information

ID CVE-2025-6208

Source @huntr_ai

Published Feb 2, 2026 at 10:36

Affected Product

Vendor run-llama

Product run-llama/llama_index

Version unspecified

Affected Versions run-llama run-llama/llama_index unspecified

CWE Classification

CWE-400

References

{
    "lastseen": "",
    "description": "The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.",
    "published": "2026-02-02T10:36:23.033Z",
    "modified": "2026-02-02T10:36:23.033Z",
    "type": "cve",
    "title": "Uncontrolled Memory Consumption in run-llama/llama_index",
    "source": "@huntr_ai",
    "references": "https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a\nhttps://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2",
    "id": "CVE-2025-6208",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "run-llama run-llama/llama_index unspecified",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "run-llama/llama_index",
    "version": "unspecified",
    "vendor": "run-llama",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}