CVE-2024-9277
Published: 27 September 2024
Summary
CVE-2024-9277 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Langflow Langflow. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2701
Vulnerability details
A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient…
more
regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Langflow is an open-source visual platform for building and deploying LLM-based workflows, multi-agent applications, and RAG pipelines using LangChain, fitting as an 'Other Platforms' category for AI development tools.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The ReDoS vulnerability (CWE-1333) in Langflow's HTTP POST /prompt endpoint allows remote attackers to send crafted 'remaining_text' input, causing inefficient regex processing with exponential CPU consumption in a while loop, enabling application-level denial of service via exploitation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.