CVE-2024-9277: Langflow ReDoS crashes LLM workflow

Q: Is CVE-2024-9277 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-9277, increasing the risk of exploitation.

Q: How to fix CVE-2024-9277?

1. Upgrade Langflow beyond 1.0.18 — check the official GitHub for the first release addressing CWE-1333 in utils.py. 2. If no patch available, restrict Langflow API access to explicitly trusted internal IP ranges via firewall or reverse proxy ACLs. 3. Enforce authentication controls — ensure no anonymous access to HTTP POST endpoints. 4. Implement request timeouts and CPU limits at the process/container level to bound the impact of any single request. 5. Deploy rate limiting on the POST endpoint to slow brute-force DoS attempts. 6. Monitor for CPU spike patterns in Langflow processes as a detection signal — a single malicious request can peg a CPU core to 100%. 7. Reference the PoC at the Notion advisory URL for reproduction details to validate fixes.

Q: What systems are affected by CVE-2024-9277?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation, multi-step AI pipelines.

Q: What is the CVSS score for CVE-2024-9277?

CVE-2024-9277 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.90%.

CISO Take

Any low-privilege authenticated user can hang or crash Langflow's backend by sending a crafted HTTP POST request that triggers catastrophic regex backtracking. No patch was available at disclosure and the vendor was unresponsive — if your team runs Langflow ≤1.0.18 for AI pipeline orchestration, restrict API access to trusted networks immediately. No data exfiltration risk, but full availability loss of your LLM workflow layer is trivially achievable.

What is the risk?

Medium operational risk with high availability impact if exploited. Network-accessible with low-privilege authentication required — any registered Langflow user can trigger it. PoC is public. EPSS is very low (0.17%) indicating limited in-the-wild exploitation, but the attack requires no AI/ML expertise: just a crafted string sent to an HTTP endpoint. Organizations exposing Langflow to internal users or via API are meaningfully exposed until patched or mitigated.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	<= 1.0.18	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 55% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

7 steps

Upgrade Langflow beyond 1.0.18 — check the official GitHub for the first release addressing CWE-1333 in utils.py.
If no patch available, restrict Langflow API access to explicitly trusted internal IP ranges via firewall or reverse proxy ACLs.
Enforce authentication controls — ensure no anonymous access to HTTP POST endpoints.
Implement request timeouts and CPU limits at the process/container level to bound the impact of any single request.
Deploy rate limiting on the POST endpoint to slow brute-force DoS attempts.
Monitor for CPU spike patterns in Langflow processes as a detection signal — a single malicious request can peg a CPU core to 100%.
Reference the PoC at the Notion advisory URL for reproduction details to validate fixes.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system availability and resilience

NIST AI RMF

MS-2.5 - Risk response: AI system performance monitoring and incident response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-9277?

Any low-privilege authenticated user can hang or crash Langflow's backend by sending a crafted HTTP POST request that triggers catastrophic regex backtracking. No patch was available at disclosure and the vendor was unresponsive — if your team runs Langflow ≤1.0.18 for AI pipeline orchestration, restrict API access to trusted networks immediately. No data exfiltration risk, but full availability loss of your LLM workflow layer is trivially achievable.

Is CVE-2024-9277 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-9277, increasing the risk of exploitation.

How to fix CVE-2024-9277?

1. Upgrade Langflow beyond 1.0.18 — check the official GitHub for the first release addressing CWE-1333 in utils.py. 2. If no patch available, restrict Langflow API access to explicitly trusted internal IP ranges via firewall or reverse proxy ACLs. 3. Enforce authentication controls — ensure no anonymous access to HTTP POST endpoints. 4. Implement request timeouts and CPU limits at the process/container level to bound the impact of any single request. 5. Deploy rate limiting on the POST endpoint to slow brute-force DoS attempts. 6. Monitor for CPU spike patterns in Langflow processes as a detection signal — a single malicious request can peg a CPU core to 100%. 7. Reference the PoC at the Notion advisory URL for reproduction details to validate fixes.

What systems are affected by CVE-2024-9277?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation, multi-step AI pipelines.

What is the CVSS score for CVE-2024-9277?

CVE-2024-9277 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.90%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsAI workflow automationmulti-step AI pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker with a low-privilege Langflow account (e.g., a developer or contractor with basic access) sends a crafted HTTP POST request to the Langflow backend. The `remaining_text` parameter contains input engineered to trigger catastrophic backtracking in the regex pattern within utils.py — a classic ReDoS payload. The regex engine enters an exponential execution loop, consuming 100% of a CPU core. With a small number of concurrent requests, the attacker saturates all available CPU threads, making the Langflow service unresponsive. All active AI workflows, agent pipelines, and API consumers are immediately disrupted. The attacker needs no knowledge of the underlying LLM models, only the ability to send HTTP requests.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

[Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
[System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.