Miggo Logo
Miggo Vulnerability Database
CVE-2024-12910

CVE-2024-12910: LlamaIndex Uncontrolled Resource Consumption vulnerability

4.2

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-12910
GHSA ID
GHSA-jvpf-xf32-2w4q
EPSS Score
0.19664%
CWE
CWE-400
Published
3/20/2025
Updated
3/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
llama-indexpip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the recursive get_article_urls method which previously had no mechanism to prevent infinite recursion. The GitHub patch adds a max_depth parameter to limit recursion depth, confirming this was the vulnerable component. The CVE description explicitly identifies this method as the recursion point, and the commit diff shows the vulnerability was addressed by adding depth tracking to this specific function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in t** `Knowl******s*W**R****r` *l*ss o* t** run-ll*m*/ll*m*_in**x r*pository, v*rsion l*t*st, *llows *n *tt**k*r to **us* * **ni*l o* S*rvi** (*oS) *y *ontrollin* * URL v*ri**l* to *ont*in t** root URL. T*is l***s to in*init* r**ursi

Reasoning

T** vuln*r**ility st*ms *rom t** r**ursiv* **t_*rti*l*_urls m*t*o* w*i** pr*viously *** no m****nism to pr*v*nt in*init* r**ursion. T** *it*u* p*t** ***s * m*x_**pt* p*r*m*t*r to limit r**ursion **pt*, *on*irmin* t*is w*s t** vuln*r**l* *ompon*nt. T*