| 제목 | VectifyAI PageIndex latest Infinite Loop (CWE-835) |
|---|
| 설명 | # Technical Details
An Arbitrary Infinite Loop Denial of Service (DoS) vulnerability exists in the `toc_transformer` method in `pageindex/page_index.py` of PageIndex.
The application fails to limit loop iterations when handling LLM responses that hit the maximum output token limit (where `finish_reason == "length"`). Without a retry counter, the system automatically and endlessly attempts to instruct the model to "continue".
# Vulnerable Code
File: `pageindex/page_index.py`
Method: `toc_transformer()`
Why: The while loop rebuilds the prompt and calls the LLM API without checking an iteration limit or bailout condition when the completion check repeatedly fails.
# Reproduction
1. Generate an adversarial PDF with thousands of sections in the TOC (sufficiently large to cause the LLM to truncate output), or set up a Mock OpenAI proxy that forcibly returns `finish_reason: "length"`.
2. Run the application via the CLI against the malicious PDF: `python run_pageindex.py --pdf_path evil_toc.pdf --model gpt-3.5-turbo`
3. Observe the process forever attempting to complete the TOC, utilizing 100% of a CPU thread and rapidly emitting API requests.
# Impact
- Denial of Service (DoS) due to process hanging.
- Immediate financial exhaustion of the backend LLM service billing account due to unbounded API requests. |
|---|
| 원천 | ⚠️ https://github.com/VectifyAI/PageIndex/issues/174 |
|---|
| 사용자 | Eric-b (UID 96354) |
|---|
| 제출 | 2026. 04. 23. AM 09:40 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 11. PM 03:16 (18 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 362605 [VectifyAI PageIndex 까지 f50e52975313c6716c02b20a119577a1929decba PDF Table of Contents pageindex/page_index.py toc_transformer 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|