cve-2025-3044
Vulnerability from cvelistv5
Published
2025-07-07 09:54
Modified
2025-07-07 15:23
Severity ?
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
MD5 Hash Collision in run-llama/llama_index
References
security@huntr.devhttps://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42ePatch
security@huntr.devhttps://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6Exploit, Third Party Advisory
Impacted products
run-llamarun-llama/llama_index
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-3044",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-07T15:23:15.234430Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-07T15:23:18.518Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "run-llama/llama_index",
          "vendor": "run-llama",
          "versions": [
            {
              "lessThan": "0.12.28",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in version 0.12.28."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440 Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T09:54:22.506Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6"
        },
        {
          "url": "https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e"
        }
      ],
      "source": {
        "advisory": "80182c3a-876f-422f-8bac-38267e0345d6",
        "discovery": "EXTERNAL"
      },
      "title": "MD5 Hash Collision in run-llama/llama_index"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2025-3044",
    "datePublished": "2025-07-07T09:54:22.506Z",
    "dateReserved": "2025-03-31T12:26:26.971Z",
    "dateUpdated": "2025-07-07T15:23:18.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-3044\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2025-07-07T10:15:26.717\",\"lastModified\":\"2025-07-30T21:28:24.923\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in version 0.12.28.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en la clase ArxivReader del repositorio run-llama/llama_index, versiones hasta la v0.12.22.post1, permite colisiones de hash MD5 al generar nombres de archivo para art\u00edculos descargados. Esto puede provocar la p\u00e9rdida de datos, ya que art\u00edculos con t\u00edtulos id\u00e9nticos pero contenido diferente pueden sobrescribirse, impidiendo que algunos art\u00edculos se procesen para el entrenamiento de modelos de IA. El problema se ha resuelto en la versi\u00f3n 0.12.28.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-440\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:llamaindex:llamaindex:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.12.28\",\"matchCriteriaId\":\"918714E3-A9E1-4D93-B6A5-7B5E0EE9EFF3\"}]}]}],\"references\":[{\"url\":\"https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\"]},{\"url\":\"https://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.