We use cookies to improve your experience on our site.
AVID-2026-R1495
Description
Vulnerability CVE-2024-37014
Details
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the “POST /api/v1/custom_component” endpoint and provide a Python script.
Reason for inclusion in AVID: CVE-2024-37014 describes remote code execution in Langflow (an AI workflow/deployment tooling) via unauthenticated Python script submission to /api/v1/custom_component. This is a software vulnerability in a component used to build/deploy AI pipelines, representing a software supply chain issue within general-purpose AI systems. It is not hardware/firmware-only. The evidence (description and CVE reference) supports an RCE vulnerability in an AI software stack.
References
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-06-10
- Version: 0.3.3
- AVID Entry