CVE-2024-12704: 
Python vulnerability analysis and mitigation

A vulnerability has been identified in the LangChainLLM class of the run-llama/llamaindex repository, version v0.12.5. The vulnerability, tracked as CVE-2024-12704, allows for a Denial of Service (DoS) attack through the streamcomplete method. The issue was disclosed on March 20, 2025 (NVD).

The vulnerability exists in the streamcomplete method which executes the llm using a thread and retrieves the result via the getresponsegen method of the StreamingGeneratorCallbackHandler class. When the thread terminates abnormally before the llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the getresponsegen function. The vulnerability has been assigned a CVSS v3.0 base score of 7.5 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Huntr).

The vulnerability can result in a Denial of Service condition when triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely (NVD).

A fix has been implemented by adding a timeout parameter to the langchain callback handler, as evidenced in the commit d1ecfb77578d089cbe66728f18f635c09aa32a05. The fix includes a timeout mechanism in the getresponsegen method with a default timeout of 120 seconds (Github Commit).