Miggo Logo
Miggo Vulnerability Database
CVE-2024-9277

CVE-2024-9277: Inefficient Regular Expression Complexity in langflow

3.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-9277
GHSA ID
GHSA-355v-2rjx-fpx7
EPSS Score
0.60671%
CWE
CWE-1333
Published
9/27/2024
Updated
10/1/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
langflowpip<= 1.0.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability disclosure explicitly references utils.py and manipulation of remaining_text.
  2. The code analysis shows extract_input_variables_from_prompt processes remaining_text using a regex in a loop.
  3. The regex pattern contains alternation and non-greedy quantifiers that create ambiguity, a known ReDoS risk pattern.
  4. The loop structure (modifying remaining_text after each match) combined with exponential regex complexity creates a denial-of-service vector.
  5. The user submission #410043 directly identifies this function as vulnerable through code analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s pro*l*m*ti* w*s *oun* in L*n**low up to *.*.**. *****t** *y t*is vuln*r**ility is *n unknown *un*tion*lity o* t** *il* \sr*\***k*n*\**s*\l*n**low\int*r****\utils.py o* t** *ompon*nt *TTP POST R*qu*st **n*l*r. T** m*nipul

Reasoning

*. T** vuln*r**ility *is*losur* *xpli*itly r***r*n**s utils.py *n* m*nipul*tion o* r*m*inin*_t*xt. *. T** *o** *n*lysis s*ows *xtr**t_input_v*ri**l*s_*rom_prompt pro**ss*s r*m*inin*_t*xt usin* * r***x in * loop. *. T** r***x p*tt*rn *ont*ins *lt*rn*t