run-llama llama_index Stack Overflow Vulnerability in JSONReader Allowing Denial-of-Service

A stack overflow vulnerability has been identified in the JSONReader component of run-llama/llama_index, specifically in versions through 0.12.28. This vulnerability arises from uncontrolled recursive parsing of JSON, which can be exploited by sending deeply nested JSON structures. The excessive recursion leads to a RecursionError, causing applications to crash. The issue disrupts service availability and workflow reliability. The vulnerability has been addressed in version 0.12.38.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the application, leading to unavailability and disruption of normal workflows.

Reproduction

The vulnerability can be reproduced by setting the Python recursion limit to a low value, such as 500, and then using the JSONReader to process a JSON file containing deeply nested structures. This nesting can be achieved by programmatically creating a dictionary with multiple levels, ensuring that the final level contains a value, such as a string. When the JSONReader attempts to parse this file, the lack of depth validation will result in a RecursionError, demonstrating the stack overflow vulnerability.

Remediation

Users can upgrade to run-llama/llama_index version 0.12.38 or later to address this vulnerability.