CVE-2025-5302 is a high-severity denial of service (DoS) vulnerability identified in the JSONReader component of the run-llama/llama_index repository, specifically affecting version v0.12.37. The root cause is an uncontrolled recursion issue (CWE-674) triggered when the JSONReader attempts to parse deeply nested JSON files. Python's recursion limit is exceeded during this process, causing the interpreter to consume excessive resources and ultimately crash or become unresponsive. This vulnerability does not require any authentication or user interaction and can be exploited remotely by submitting crafted JSON input to the affected component. The impact primarily affects availability, as the Python process handling the JSON parsing can be forced to terminate or hang, disrupting dependent services or applications. The vulnerability has been addressed in version 0.12.38 of the run-llama/llama_index package, where recursion handling has been corrected to prevent exceeding the maximum recursion depth. The CVSS v3.0 base score is 8.6, reflecting a high severity due to network attack vector, low attack complexity, no privileges or user interaction required, and significant impact on availability and minor impact on confidentiality and integrity.

For European organizations using the run-llama/llama_index library, especially in environments processing JSON data at scale or receiving external JSON inputs, this vulnerability poses a significant risk to service availability. Systems relying on this library for data ingestion, AI model indexing, or JSON parsing could experience crashes or denial of service conditions, leading to downtime and potential disruption of business-critical applications. This can affect sectors such as finance, healthcare, and public services where data processing reliability is paramount. Additionally, the high resource consumption during exploitation attempts could degrade system performance, impacting other applications on shared infrastructure. Although no known exploits are currently reported in the wild, the low complexity of triggering the vulnerability means attackers could weaponize this flaw to disrupt services or conduct denial of service attacks against European targets.

European organizations should immediately upgrade the run-llama/llama_index library to version 0.12.38 or later, where the uncontrolled recursion issue is fixed. If immediate upgrade is not feasible, implement input validation and limit the depth of JSON nesting before parsing to prevent triggering the recursion limit. Employ runtime monitoring to detect abnormal resource consumption or Python process crashes related to JSON parsing. Additionally, consider sandboxing or isolating the JSON parsing component to contain potential crashes and prevent cascading failures. Network-level protections such as rate limiting and filtering of suspicious JSON payloads can reduce exposure to exploit attempts. Finally, maintain an inventory of systems using this library to ensure comprehensive patching and risk management.