Submit #811273: VectifyAI PageIndex latest Infinite Loop (CWE-835)info

TitleVectifyAI PageIndex latest Infinite Loop (CWE-835)
Description# Technical Details An Arbitrary Infinite Loop Denial of Service (DoS) vulnerability exists in the `toc_transformer` method in `pageindex/page_index.py` of PageIndex. The application fails to limit loop iterations when handling LLM responses that hit the maximum output token limit (where `finish_reason == "length"`). Without a retry counter, the system automatically and endlessly attempts to instruct the model to "continue". # Vulnerable Code File: `pageindex/page_index.py` Method: `toc_transformer()` Why: The while loop rebuilds the prompt and calls the LLM API without checking an iteration limit or bailout condition when the completion check repeatedly fails. # Reproduction 1. Generate an adversarial PDF with thousands of sections in the TOC (sufficiently large to cause the LLM to truncate output), or set up a Mock OpenAI proxy that forcibly returns `finish_reason: "length"`. 2. Run the application via the CLI against the malicious PDF: `python run_pageindex.py --pdf_path evil_toc.pdf --model gpt-3.5-turbo` 3. Observe the process forever attempting to complete the TOC, utilizing 100% of a CPU thread and rapidly emitting API requests. # Impact - Denial of Service (DoS) due to process hanging. - Immediate financial exhaustion of the backend LLM service billing account due to unbounded API requests.
Source⚠️ https://github.com/VectifyAI/PageIndex/issues/174
User
 Eric-b (UID 96354)
Submission04/23/2026 09:40 (3 months ago)
Moderation05/11/2026 15:16 (18 days later)
StatusAccepted
VulDB entry362605 [VectifyAI PageIndex up to f50e52975313c6716c02b20a119577a1929decba PDF Table of Contents pageindex/page_index.py toc_transformer infinite loop]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!