CVE-2024-12704
Denial of Service (DoS) vulnerability in llama-index (PyPI)
What is CVE-2024-12704 About?
This vulnerability is a Denial of Service (DoS) in the `LangChainLLM` class of the `run-llama/llama_index` repository, version v0.12.5. It allows attackers to trigger an infinite loop by providing an incorrect input type to the `stream_complete` method, causing the `_llm.predict` thread to terminate abnormally. Exploitation is straightforward, requiring only a malformed input.
Affected Software
Technical Details
The Denial of Service (DoS) vulnerability resides in the stream_complete method of the LangChainLLM class within llama_index v0.12.5. This method executes the _llm.predict operation within a separate thread and retrieves its results via the get_response_gen method of StreamingGeneratorCallbackHandler. The flaw occurs because there is no exception handling for scenarios where the _llm.predict thread terminates abnormally before the prediction function is executed. If an attacker provides an input of an incorrect type, this can cause the thread to fail prematurely. Without proper error handling for this specific pre-execution termination, get_response_gen enters an infinite loop while attempting to retrieve non-existent results, leading to the process running indefinitely and consuming resources, thereby causing a Denial of Service.
What is the Impact of CVE-2024-12704?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or service unavailable to legitimate users.
What is the Exploitability of CVE-2024-12704?
Exploitation of this vulnerability is relatively low complexity. It can be triggered remotely by providing an input of an incorrect type to the stream_complete method of the LangChainLLM class. There are no specific authentication or privilege requirements, as the vulnerability lies in the input validation and error handling logic. The attack specifically targets the stream_complete method, implying direct interaction with the LangChainLLM interface is needed. The primary prerequisite is the ability to send malformed input that causes the internal thread to terminate prematurely. The lack of robust error handling for unexpected thread termination significantly increases the likelihood of a successful DoS attack with minimal effort.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-12704?
Available Upgrade Options
- llama-index
- <0.12.6 → Upgrade to 0.12.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-j3wr-m6xh-64hg
- https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05
- https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05
- https://nvd.nist.gov/vuln/detail/CVE-2024-12704
- https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a
- https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a
- https://github.com/run-llama/llama_index
What are Similar Vulnerabilities to CVE-2024-12704?
Similar Vulnerabilities: CVE-2021-37137 , CVE-2023-31125 , CVE-2021-44228 , CVE-2022-22965 , CVE-2022-26138
