Miggo Logo
Miggo Vulnerability Database
CVE-2024-42835

CVE-2024-42835:
langflow has vulnerability in PythonCodeTool component

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-42835
GHSA ID
GHSA-56m6-4mhw-h3g5
EPSS Score
0.80539%
CWE
-
Published
10/31/2024
Updated
11/1/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
langflowpip<= 1.0.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the PythonCodeTool's build method directly executing user-controlled code via exec() in the global namespace. The GitHub issue reproduction demonstrates how passing malicious code in tool_code (like os.popen calls) gets executed server-side. The lack of input validation, restricted namespaces, or sandboxing around the exec() call makes this a clear RCE vector. The code structure shown in the issue matches typical Python tool execution patterns in LangChain-based frameworks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

l*n**low v*.*.** w*s *is*ov*r** to *ont*in * r*mot* *o** *x**ution (R**) vuln*r**ility vi* t** Pyt*on*o**Tool *ompon*nt.

Reasoning

T** vuln*r**ility st*ms *rom t** Pyt*on*o**Tool's *uil* m*t*o* *ir**tly *x**utin* us*r-*ontroll** *o** vi* `*x**()` in t** *lo**l n*m*sp***. T** *it*u* issu* r*pro*u*tion **monstr*t*s *ow p*ssin* m*li*ious *o** in `tool_*o**` (lik* `os.pop*n` **lls)