pysec-2024-177
Vulnerability from pysec
Published
2024-06-10 20:15
Modified
2025-01-19 01:52
Severity ?
Details
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
Impacted products
| Name | purl |
|---|---|
| langflow | pkg:pypi/langflow |
Aliases
{ affected: [ { package: { ecosystem: "PyPI", name: "langflow", purl: "pkg:pypi/langflow", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.0.0a3", }, ], type: "ECOSYSTEM", }, ], versions: [ "0.0.31", "0.0.32", "0.0.33", "0.0.40", "0.0.44", "0.0.45", "0.0.46", "0.0.52", "0.0.53", "0.0.54", "0.0.55", "0.0.56", "0.0.57", "0.0.58", "0.0.61", "0.0.62", "0.0.63", "0.0.64", "0.0.65", "0.0.66", "0.0.67", "0.0.68", "0.0.69", "0.0.70", "0.0.71", "0.0.72", "0.0.73", "0.0.74", "0.0.75", "0.0.76", "0.0.78", "0.0.79", "0.0.80", "0.0.81", "0.0.83", "0.0.84", "0.0.85", "0.0.86", "0.0.87", "0.0.88", "0.0.89", "0.1.0", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.2.0", "0.2.1", "0.2.10", "0.2.11", "0.2.12", "0.2.13", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.2.9", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.4.0", "0.4.1", "0.4.10", "0.4.11", "0.4.12", "0.4.14", "0.4.15", "0.4.16", "0.4.17", "0.4.18", "0.4.19", "0.4.2", "0.4.20", "0.4.21", "0.4.3", "0.4.4", "0.4.5", "0.4.6", "0.4.7", "0.4.8", "0.4.9", "0.5.0", "0.5.0a0", "0.5.0a1", "0.5.0a2", "0.5.0a3", "0.5.0a4", "0.5.0a5", "0.5.0a6", "0.5.0b0", "0.5.0b2", "0.5.0b3", "0.5.0b4", "0.5.0b5", "0.5.0b6", "0.5.1", "0.5.10", "0.5.11", "0.5.12", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "0.5.9", "0.6.0", "0.6.0rc1", "0.6.1", "0.6.10", "0.6.11", "0.6.12", "0.6.14", "0.6.15", "0.6.16", "0.6.17", "0.6.18", "0.6.19", "0.6.2", "0.6.3", "0.6.3a0", "0.6.3a1", "0.6.3a2", "0.6.3a3", "0.6.3a4", "0.6.3a5", "0.6.3a6", "0.6.3a7", "0.6.4", "0.6.4a0", "0.6.4a1", "0.6.5", "0.6.5a0", "0.6.5a1", "0.6.5a10", "0.6.5a11", "0.6.5a12", "0.6.5a13", "0.6.5a2", "0.6.5a3", "0.6.5a4", "0.6.5a5", "0.6.5a6", "0.6.5a7", "0.6.5a8", "0.6.5a9", "0.6.6", "0.6.7", "0.6.7a1", "0.6.7a2", "0.6.7a3", "0.6.7a5", "0.6.8", "0.6.9", "1.0.0a0", "1.0.0a1", "1.0.0a2", ], }, ], aliases: [ "CVE-2024-37014", ], details: "Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the \"POST /api/v1/custom_component\" endpoint and provide a Python script.", id: "PYSEC-2024-177", modified: "2025-01-19T01:52:23.722576+00:00", published: "2024-06-10T20:15:15+00:00", references: [ { type: "EVIDENCE", url: "https://github.com/langflow-ai/langflow/issues/1973", }, { type: "REPORT", url: "https://github.com/langflow-ai/langflow/issues/1973", }, ], severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.