Strix
26.1K

CVE-2024-12704

HIGHCVSS 7.5/10EPSS 0.76%

Last modified

CVE-2024-12704 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. EPSS estimates a 0.76% chance of exploitation in the next 30 days.

Description

A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.

Metrics

CVSS 3.0
7.5/10

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.76%

50.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LlamaindexLlamaindex0.12.5

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-12704?
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.
How severe is CVE-2024-12704?
CVE-2024-12704 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.76% probability of exploitation in the next 30 days.
How do I fix CVE-2024-12704?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-12704?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST