CVE-2024-48061

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Nov 4, 2024 / Updated: 15d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

langflow version 1.0.18 and earlier is vulnerable to Remote Code Execution (RCE). This vulnerability exists because any component provided the code functionality, and the components run on the local machine rather than in a sandbox.

Impact

This vulnerability could allow an attacker to execute arbitrary code on the local machine where langflow is running. This could lead to unauthorized access, data theft, system compromise, or further lateral movement within the network. The vulnerability has a CVSS v3.1 base score of 9.8, indicating a critical severity level. It has high impacts on confidentiality, integrity, and availability. The attack vector is network-based, requires no user interaction, and can be executed with low attack complexity without the need for privileges.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects versions 1.0.18 and earlier, it's likely that upgrading to a version newer than 1.0.18 (if available) would address this issue.

Mitigation

1. Upgrade langflow to a version newer than 1.0.18 if available. 2. If upgrading is not immediately possible, consider isolating systems running langflow from the network or limiting access to trusted users only. 3. Implement strong access controls and monitoring for any systems running langflow. 4. Consider running langflow components in a sandboxed environment to limit the potential impact of code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48061

Nov 4, 2024 at 11:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48061. See article

Nov 4, 2024 at 11:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 4, 2024 at 11:21 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Nov 5, 2024 at 12:31 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 5, 2024 at 10:05 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 6, 2024 at 8:40 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152380)

Nov 12, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Langflow/langflow
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

Vendor Advisory

[GHSA-5p5r-57fx-pmfr] Langflow vulnerable to remote code execution
GitHub Security Advisory: GHSA-5p5r-57fx-pmfr Release Date: 2024-11-05 Update Date: 2024-11-05 Severity: Moderate CVE-2024-48061 Package Information Package: langflow Affected Versions: Patched Versions: None Description langflow References https://nvd.nist.gov/vuln/detail/CVE-2024-48061 https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61 https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8 langflow-ai/langflow#696

News

CVE-2024-48061
Critical Severity Description langflow Read more at https://www.tenable.com/cve/CVE-2024-48061
[GHSA-5p5r-57fx-pmfr] Langflow vulnerable to remote code execution
GitHub Security Advisory: GHSA-5p5r-57fx-pmfr Release Date: 2024-11-05 Update Date: 2024-11-05 Severity: Moderate CVE-2024-48061 Package Information Package: langflow Affected Versions: Patched Versions: None Description langflow References https://nvd.nist.gov/vuln/detail/CVE-2024-48061 https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61 https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8 langflow-ai/langflow#696
NA - CVE-2024-48061 - langflow
langflow
CVE-2024-48061 | Langflow up to 1.0.18 access control
A vulnerability was found in Langflow up to 1.0.18 . It has been classified as critical . This affects an unknown part. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2024-48061 . It is possible to initiate the attack remotely. There is no exploit available.
CVE-2024-48061 - Langflow RCE
CVE ID : CVE-2024-48061 Published : Nov. 4, 2024, 11:15 p.m. 53 minutes ago Description : langflow Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI