Denial of Service Vulnerability in LangChainLLM Class of Run-Llama Repository
CVE-2024-12704

7.5HIGH

Key Information:

Vendor: Run-llama
Status: Run-llama/llama Index
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-12704?

A vulnerability exists in the LangChainLLM class of the run-llama/llama_index repository, specifically in version v0.12.5. The issue arises from the stream_complete method, which utilizes a thread to execute the llm and subsequently retrieves the results through the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread experiences an abnormal termination before executing the _llm.predict method, it leads to a lack of exception handling, potentially causing the get_response_gen function to enter an infinite loop. This vulnerability can be exploited by supplying incorrect input types, leading to persistent denial of service.

Affected Version(s)

run-llama/llama_index < 0.12.6

References

https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab984...

https://github.com/run-llama/llama_index/commit/d1ecfb775...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Dec 17, 2024

JSON

Run-llama

What is CVE-2024-12704?

Affected Version(s)

References

CVSS V3.0

Timeline