Cyber Resilience

CVE-2024-9277

MediumPublic PoC

Published: 27 September 2024

Published
27 September 2024
Modified
05 June 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 38.0th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9277 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Langflow Langflow. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).

EU & UK References

Vulnerability details

A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient…

more

regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Langflow is an open-source visual platform for building and deploying LLM-based workflows, multi-agent applications, and RAG pipelines using LangChain, fitting as an 'Other Platforms' category for AI development tools.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The ReDoS vulnerability (CWE-1333) in Langflow's HTTP POST /prompt endpoint allows remote attackers to send crafted 'remaining_text' input, causing inefficient regex processing with exponential CPU consumption in a while loop, enabling application-level denial of service via exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

Affected Assets

langflow
langflow
≤ 1.0.18

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References