CVE-2024-12704 HIGH

CVE-2024-12704: Denial of Service (DoS) in run-llama/llama_index

Vendor Run-Llama

Product run-llama/llama_index

Weakness CWE-835

Published March 20, 2025

Last update October 15, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.

Key dates

02Disclosure timeline

March 20, 2025 CVE published

October 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-12704

Related vulnerabilities

Identifiers

CVE CVE-2024-12704

CWE CWE-835

CVSS 7.5 / HIGH

Affected versions