Описание
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.
A flaw was found in the run-llama/llama_index. This vulnerability allows for a denial of service (DoS) attack via improper exception handling in the stream_complete method, which leads to an infinite loop in get_response_gen when the execution thread terminates abnormally.
Отчет
This vulnerability marked as high severity rather than moderate due to its potential to cause a complete Denial of Service (DoS) in affected applications. This flaw can be triggered trivially by supplying an invalid input type. Since there is no exception handling when the prediction thread terminates prematurely, the get_response_gen function enters an infinite loop, consuming CPU resources indefinitely. This not only disrupts service availability but can also impact multi-threaded environments where stalled threads accumulate, degrading overall system performance.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.
LlamaIndex Improper Handling of Exceptional Conditions vulnerability
EPSS
7.5 High
CVSS3