CVE-2024-12704
published 2025-03-20CVE-2024-12704: A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The…
PriorityP341high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
0.76%
50.7th percentile
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| llamaindex | llamaindex | — | — |
| run-llama | run-llama_llama_index | >= unspecified < 0.12.6 | 0.12.6 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LlamaIndex Improper Handling of Exceptional Conditions vulnerability
ghsa·2025-03-20
CVE-2024-12704 [HIGH] CWE-755 LlamaIndex Improper Handling of Exceptional Conditions vulnerability
LlamaIndex Improper Handling of Exceptional Conditions vulnerability
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.
OSV
LlamaIndex Improper Handling of Exceptional Conditions vulnerability
osv·2025-03-20
CVE-2024-12704 [HIGH] LlamaIndex Improper Handling of Exceptional Conditions vulnerability
LlamaIndex Improper Handling of Exceptional Conditions vulnerability
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.
Red Hat
llama-index: Denial of Service (DoS) in run-llama/llama_index
vendor_redhat·2025-03-20·CVSS 7.5
CVE-2024-12704 [HIGH] CWE-755 llama-index: Denial of Service (DoS) in run-llama/llama_index
llama-index: Denial of Service (DoS) in run-llama/llama_index
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.
A flaw was found in the run-llama/llama_index. This vulnerability allows for a denial of service (
No detection rules found.
No public exploits indexed.
2025-03-20
Published