CVE-2024-21528
Denial of Service (DoS) vulnerability in node-gettext (npm)
What is CVE-2024-21528 About?
This vulnerability is a Denial of Service (DoS) in the `LangChainLLM` class of `run-llama/llama_index` (v0.12.5), causing an infinite loop. It occurs when `stream_complete`'s thread terminates abnormally, leading to continuous process execution. Exploitation is easy, requiring an input of incorrect type.
Affected Software
Technical Details
The Denial of Service (DoS) vulnerability in run-llama/llama_index repository (version v0.12.5) pertains to the LangChainLLM class. Specifically, the stream_complete method executes the llm.predict operation within a separate thread, with results retrieved using the get_response_gen method of the StreamingGeneratorCallbackHandler class. The critical flaw lies in the lack of exception handling if the worker thread terminates abnormally before _llm.predict is successfully executed. When this happens, get_response_gen enters an infinite loop, continuously trying to retrieve a result that will never appear. This state is easily triggered by providing an input of an incorrect type to the llm.predict call, which causes the thread to terminate prematurely, leading to indefinite process execution and resource exhaustion.
What is the Impact of CVE-2024-21528?
Successful exploitation may allow attackers to cause the application to hang indefinitely, consume excessive resources, and lead to a denial of service, preventing legitimate users from accessing the service.
What is the Exploitability of CVE-2024-21528?
Exploitation of this Denial of Service vulnerability is straightforward and requires providing an input of an incorrect type to the LangChainLLM.stream_complete method. This makes the complexity low. There are no explicit authentication or privilege requirements, as the vulnerability is triggered by manipulating input to a core function. It can be exploited remotely if the affected stream_complete method is exposed to untrusted user input, for instance, via an API endpoint. The primary risk factor is the absence of robust input validation and error handling around thread execution and result retrieval, allowing malformed input to halt the application.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21528?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-NODEGETTEXT-6100943
- https://github.com/alexanderwallin/node-gettext/blob/65d9670f691c2eeca40dce129c95bcf8b613d344/lib/gettext.js%23L113
- https://github.com/alexanderwallin/node-gettext
- https://github.com/alexanderwallin/node-gettext/blob/65d9670f691c2eeca40dce129c95bcf8b613d344/lib/gettext.js#L113
- https://nvd.nist.gov/vuln/detail/CVE-2024-21528
- https://security.snyk.io/vuln/SNYK-JS-NODEGETTEXT-6100943
- https://osv.dev/vulnerability/GHSA-g974-hxvm-x689
What are Similar Vulnerabilities to CVE-2024-21528?
Similar Vulnerabilities: CVE-2023-39325 , CVE-2023-39326 , CVE-2023-39327 , CVE-2023-39328 , CVE-2023-39329
