run-llama llama_index KnowledgeBaseWebReader Class Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, specifically in version 0.12.15. The issue arises from inadequate secure coding practices, particularly the improper implementation of the max_depth parameter in the get_article_urls function. This flaw enables an attacker to exploit Python's recursion limit by making repeated function calls, causing excessive resource consumption and ultimately crashing the Python process.

Impact

Exhausting Python's recursion limit through repeated function calls, leading to increased resource consumption and crashing the Python process.

Reproduction

The vulnerability can be reproduced by calling the get_article_urls function without properly managing the max_depth parameter. The function can be invoked with a Playwright Chromium browser, a root URL, and a current URL. Without a correct implementation of the max_depth parameter, the function will recursively crawl through the knowledge base, links, and exhaust the Python recursion limit, causing a denial-of-service condition.

Remediation

Users are advised to update to version 0.3.6, where this vulnerability has been fixed.