GHSA-p7j4-jwjf-5x9w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p7j4-jwjf-5x9w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-p7j4-jwjf-5x9w/GHSA-p7j4-jwjf-5x9w.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-p7j4-jwjf-5x9w
- Aliases
- Published
- 2025-07-07T12:30:22Z
- Modified
- 2025-07-08T00:27:14.951786Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- LlamaIndex vulnerability in ArxivReader class can cause MD5 hash collisions
- Details
-
A vulnerability in the ArxivReader class of the run-llama/llama_index repository allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in llama-index-readers-papers version 0.3.1 (in llama-index 0.12.28).
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-07-08T00:03:54Z", "cwe_ids": [ "CWE-440" ], "nvd_published_at": "2025-07-07T10:15:26Z", "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-3044
- https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e
- https://github.com/run-llama/llama_index/commit/f69e1c0e7579228fec4cfaf716e4f951e131de77
- https://github.com/run-llama/llama_index
- https://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6
Affected packages
PyPI / llama-index-readers-papers
Package
- Name
- llama-index-readers-papers
- View open source insights on deps.dev
- Purl
- pkg:pypi/llama-index-readers-papers