Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2024-12910: CWE-674 Uncontrolled Recursion in run-llama run-llama/llama_index

0
Medium
VulnerabilityCVE-2024-12910cvecve-2024-12910cwe-674
Published: Thu Mar 20 2025 (03/20/2025, 10:09:12 UTC)
Source: CVE Database V5
Vendor/Project: run-llama
Product: run-llama/llama_index

Description

A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.

AI-Powered Analysis

AILast updated: 10/15/2025, 13:24:25 UTC

Technical Analysis

CVE-2024-12910 identifies a vulnerability in the run-llama/llama_index repository, specifically within the KnowledgeBaseWebReader class. The flaw arises when an attacker controls a URL variable that is set to the root URL, which causes the get_article_urls method to recursively call itself indefinitely. This uncontrolled recursion leads to exhaustion of system resources such as CPU and memory, resulting in a denial of service (DoS) condition where the application becomes unresponsive or crashes. The vulnerability is classified under CWE-674 (Uncontrolled Recursion). The CVSS v3.0 base score is 4.2, indicating medium severity, with attack vector as physical (AV:P), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impact limited to availability (A:H). There is no impact on confidentiality or integrity. The vulnerability affects the latest unspecified versions of run-llama/llama_index, and no patches or known exploits are currently available. The root cause is insufficient input validation and lack of recursion depth control in the URL processing logic. An attacker who can supply URLs to the system can exploit this to cause infinite recursion and crash the service.

Potential Impact

For European organizations, the primary impact is denial of service, which can disrupt availability of applications or services relying on run-llama/llama_index, particularly those using the KnowledgeBaseWebReader functionality. This could affect AI-driven knowledge base systems, research tools, or internal applications that integrate this library. While confidentiality and integrity are not directly impacted, service outages can lead to operational downtime, loss of productivity, and potential reputational damage. Organizations in sectors with high reliance on AI/ML tooling, such as technology firms, research institutions, and digital service providers, are at greater risk. The medium severity and high complexity of exploitation reduce the likelihood of widespread attacks but do not eliminate targeted abuse. The absence of known exploits suggests a window for proactive mitigation before active exploitation occurs.

Mitigation Recommendations

To mitigate this vulnerability, organizations should implement strict input validation on URL parameters to prevent the root URL from being passed unchecked to the get_article_urls method. Introducing recursion depth limits or timeouts within the method can prevent infinite loops from exhausting resources. Monitoring application logs for unusual recursive call patterns or resource spikes can help detect attempted exploitation. Until an official patch is released, consider isolating or sandboxing the affected component to limit impact. If feasible, review and update the run-llama/llama_index dependency regularly and subscribe to vendor advisories for patches. Additionally, applying runtime protections such as resource quotas or container limits can reduce the risk of system-wide crashes. Developers should also conduct code audits focusing on recursive functions and input handling to identify similar vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
@huntr_ai
Date Reserved
2024-12-24T07:49:19.082Z
Cvss Version
3.0
State
PUBLISHED

Threat ID: 68ef9b25178f764e1f470b16

Added to database: 10/15/2025, 1:01:25 PM

Last enriched: 10/15/2025, 1:24:25 PM

Last updated: 10/16/2025, 2:41:51 PM

Views: 1

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats