CVE-2024-42835
Published: 31 October 2024
Summary
CVE-2024-42835 is a critical-severity an unspecified weakness vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Langflow version 1.0.12 contains a remote code execution vulnerability in the PythonCodeTool component. The flaw received a CVSS 3.1 score of 9.8, reflecting network attack vector, low attack complexity, and no requirements for authentication or user interaction, with impacts rated high for confidentiality, integrity, and availability.
An unauthenticated attacker with network access can supply malicious input to the PythonCodeTool component and execute arbitrary code on the underlying system, resulting in full host compromise. The vulnerability affects any deployment exposing the affected Langflow instance without additional compensating controls.
The associated GitHub issue at https://github.com/langflow-ai/langflow/issues/2908 tracks the report. EPSS for the CVE rose from a low baseline to a peak of 0.1624 on 2026-03-24 before receding to the current value of 0.0911, indicating measurable post-disclosure exploitation interest. Langflow is a framework used to build AI agent workflows, placing the issue in an AI/ML tooling context.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2942
Vulnerability details
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.