run-llama llama_index KnowledgeBaseWebReader Class Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index repository, specifically in the latest version. The issue arises when an attacker manipulates a URL variable to include the root URL, causing infinite recursive calls to the get_article_urls method. This behavior exhausts system resources and can lead to a crash of the application.

Impact

Exploitation of this vulnerability can cause the application to enter an infinite loop, recursively calling the get_article_urls method without termination. This behavior can exhaust system resources, reach Python's maximum recursion depth, and ultimately crash the application.

Reproduction

The vulnerability can be reproduced by creating a server that serves a malicious article URL containing a link back to the root. This server can be set up using Python's http.server module. Once the server is running, the KnowledgeBaseWebReader can be instantiated with the root URL pointing to the server. When the load_data method is called, it triggers the infinite recursion by repeatedly crawling the same root URL, leading to a denial-of-service condition.

Remediation

The vulnerability has been fixed in version 0.3.3 of the llama_index package. Users should update to this version.