AI Threat Alert
Published June 10, 2024
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langflow | pip | < 1.0.15 | 1.0.15 |
| langflow | pip | — | No patch |
Severity & Risk
CVSS 3.1
9.8 / 10
EPSS
6.5%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A
Recommended Action
Patch available
Update langflow to version 1.0.15
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/langflow-ai/langflow/issues/1973 Exploit Issue
- github.com/langflow-ai/langflow/issues/1973 Exploit Issue
- github.com/advisories/GHSA-qg33-x2c5-6p44
- github.com/langflow-ai/langflow/issues/1973
- github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-177.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-37014
Timeline
Published
June 10, 2024
Last Modified
January 21, 2025
First Seen
June 10, 2024