{"id":"CVE-2024-12704","details":"A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.","aliases":["GHSA-j3wr-m6xh-64hg"],"modified":"2026-02-24T11:47:36.550154Z","published":"2025-03-20T10:15:29.383Z","references":[{"type":"ADVISORY","url":"https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a"},{"type":"FIX","url":"https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/run-llama/llama_index","events":[{"introduced":"0"},{"fixed":"d1ecfb77578d089cbe66728f18f635c09aa32a05"}]}],"versions":["v0.10.0","v0.10.1","v0.10.10","v0.10.11","v0.10.12","v0.10.13","v0.10.13.post1","v0.10.14","v0.10.15","v0.10.16","v0.10.17","v0.10.18","v0.10.19","v0.10.20","v0.10.22","v0.10.23","v0.10.24","v0.10.25","v0.10.26","v0.10.27","v0.10.28","v0.10.28.post1","v0.10.29","v0.10.3","v0.10.30","v0.10.31","v0.10.32","v0.10.34","v0.10.35","v0.10.37","v0.10.38","v0.10.40","v0.10.41","v0.10.42","v0.10.43","v0.10.44","v0.10.47","v0.10.48","v0.10.48.post1","v0.10.49","v0.10.5","v0.10.50","v0.10.51","v0.10.52","v0.10.53","v0.10.54","v0.10.55","v0.10.57","v0.10.58","v0.10.59","v0.10.6","v0.10.60","v0.10.61","v0.10.62","v0.10.63","v0.10.66","v0.10.67","v0.10.67.post1","v0.10.68","v0.10.7","v0.10.8","v0.10.9","v0.11.0","v0.11.1","v0.11.10","v0.11.11","v0.11.12","v0.11.13","v0.11.14","v0.11.15","v0.11.16","v0.11.17","v0.11.17.post1","v0.11.18","v0.11.19","v0.11.2","v0.11.20","v0.11.21","v0.11.22","v0.11.23","v0.11.23.post1","v0.11.23.post2","v0.11.23.post3","v0.11.3","v0.11.4","v0.11.5","v0.11.6","v0.11.6.post1","v0.11.7","v0.11.8","v0.11.9","v0.12.0","v0.12.0.post1","v0.12.1","v0.12.2","v0.12.3","v0.12.4","v0.12.5","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.6.0","v0.6.0.alpha1","v0.6.21","v0.6.3","v0.7.10","v0.7.11","v0.7.11.post1","v0.7.12","v0.7.13","v0.7.14","v0.7.19","v0.7.20","v0.7.24.post1","v0.7.9","v0.8.1.post1","v0.8.10","v0.8.11.post1","v0.8.11.post2","v0.8.11.post3","v0.8.2","v0.8.2.post1","v0.8.25","v0.8.29.post1","v0.8.3","v0.8.38","v0.8.4","v0.8.43","v0.8.43.post1","v0.8.45","v0.8.45.post1","v0.8.5.post1","v0.8.53.post1","v0.8.63.post1","v0.8.66","v0.8.69","v0.8.69.post1","v0.8.69.post2","v0.8.7","v0.9.0","v0.9.1","v0.9.10","v0.9.11.post1","v0.9.12","v0.9.14.post3","v0.9.15","v0.9.15.post1","v0.9.15.post2","v0.9.16.post1","v0.9.17.dev1","v0.9.22","v0.9.25","v0.9.26","v0.9.28","v0.9.28.post1","v0.9.28.post2","v0.9.29","v0.9.3","v0.9.3.post1","v0.9.31","v0.9.36","v0.9.37","v0.9.38","v0.9.39","v0.9.40","v0.9.41","v0.9.42","v0.9.42.post1","v0.9.42.post2","v0.9.45.post1","v0.9.46","v0.9.48","v0.9.5","v0.9.6","v0.9.6.post1","v0.9.6.post2","v0.9.7","v0.9.8","v0.9.8.post1","v0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12704.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}