CRITICAL 9.8

PYSEC-2024-177

Details

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / langflow

Introduced in: 0 Fixed in: 1.0.0a3

Fix pip install --upgrade 'langflow>=1.0.0a3'

References

https://github.com/langflow-ai/langflow/issues/1973 [REPORT]