CVE-2024-9277 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: Is CVE-2024-9277 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-9277, increasing the risk of exploitation.

Q: How to fix CVE-2024-9277?

1. Upgrade Langflow beyond 1.0.18 — check the official GitHub for the first release addressing CWE-1333 in utils.py. 2. If no patch available, restrict Langflow API access to explicitly trusted internal IP ranges via firewall or reverse proxy ACLs. 3. Enforce authentication controls — ensure no anonymous access to HTTP POST endpoints. 4. Implement request timeouts and CPU limits at the process/container level to bound the impact of any single request. 5. Deploy rate limiting on the POST endpoint to slow brute-force DoS attempts. 6. Monitor for CPU spike patterns in Langflow processes as a detection signal — a single malicious request can peg a CPU core to 100%. 7. Reference the PoC at the Notion advisory URL for reproduction details to validate fixes.

Q: What systems are affected by CVE-2024-9277?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation, multi-step AI pipelines.

Q: What is the CVSS score for CVE-2024-9277?

CVE-2024-9277 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.17%.

CISO Take

Any low-privilege authenticated user can hang or crash Langflow's backend by sending a crafted HTTP POST request that triggers catastrophic regex backtracking. No patch was available at disclosure and the vendor was unresponsive — if your team runs Langflow ≤1.0.18 for AI pipeline orchestration, restrict API access to trusted networks immediately. No data exfiltration risk, but full availability loss of your LLM workflow layer is trivially achievable.

Risk Assessment

Medium operational risk with high availability impact if exploited. Network-accessible with low-privilege authentication required — any registered Langflow user can trigger it. PoC is public. EPSS is very low (0.17%) indicating limited in-the-wild exploitation, but the attack requires no AI/ML expertise: just a crafted string sent to an HTTP endpoint. Organizations exposing Langflow to internal users or via API are meaningfully exposed until patched or mitigated.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow	pip	<= 1.0.18	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 38% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I None

A High

Recommended Action

7 steps

Upgrade Langflow beyond 1.0.18 — check the official GitHub for the first release addressing CWE-1333 in utils.py.
If no patch available, restrict Langflow API access to explicitly trusted internal IP ranges via firewall or reverse proxy ACLs.
Enforce authentication controls — ensure no anonymous access to HTTP POST endpoints.
Implement request timeouts and CPU limits at the process/container level to bound the impact of any single request.
Deploy rate limiting on the POST endpoint to slow brute-force DoS attempts.
Monitor for CPU spike patterns in Langflow processes as a detection signal — a single malicious request can peg a CPU core to 100%.
Reference the PoC at the Notion advisory URL for reproduction details to validate fixes.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system availability and resilience

NIST AI RMF

MS-2.5 - Risk response: AI system performance monitoring and incident response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-9277?

Any low-privilege authenticated user can hang or crash Langflow's backend by sending a crafted HTTP POST request that triggers catastrophic regex backtracking. No patch was available at disclosure and the vendor was unresponsive — if your team runs Langflow ≤1.0.18 for AI pipeline orchestration, restrict API access to trusted networks immediately. No data exfiltration risk, but full availability loss of your LLM workflow layer is trivially achievable.

Is CVE-2024-9277 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-9277, increasing the risk of exploitation.

How to fix CVE-2024-9277?

1. Upgrade Langflow beyond 1.0.18 — check the official GitHub for the first release addressing CWE-1333 in utils.py. 2. If no patch available, restrict Langflow API access to explicitly trusted internal IP ranges via firewall or reverse proxy ACLs. 3. Enforce authentication controls — ensure no anonymous access to HTTP POST endpoints. 4. Implement request timeouts and CPU limits at the process/container level to bound the impact of any single request. 5. Deploy rate limiting on the POST endpoint to slow brute-force DoS attempts. 6. Monitor for CPU spike patterns in Langflow processes as a detection signal — a single malicious request can peg a CPU core to 100%. 7. Reference the PoC at the Notion advisory URL for reproduction details to validate fixes.

What systems are affected by CVE-2024-9277?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation, multi-step AI pipelines.

What is the CVSS score for CVE-2024-9277?

CVE-2024-9277 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker with a low-privilege Langflow account (e.g., a developer or contractor with basic access) sends a crafted HTTP POST request to the Langflow backend. The `remaining_text` parameter contains input engineered to trigger catastrophic backtracking in the regex pattern within utils.py — a classic ReDoS payload. The regex engine enters an exponential execution loop, consuming 100% of a CPU core. With a small number of concurrent requests, the attacker saturates all available CPU threads, making the Langflow service unresponsive. All active AI workflows, agent pipelines, and API consumers are immediately disrupted. The attacker needs no knowledge of the underlying LLM models, only the ability to send HTTP requests.