CVE-2024-21574

CVSS V2 None CVSS V3 None
Description
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.
Overview
  • CVE ID
  • CVE-2024-21574
  • Assigner
  • snyk
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-12-12T08:15:11.464Z
  • Last Modified Date
  • 2024-12-12T14:37:18.494Z
History
Created Old Value New Value Data Type Notes
2024-12-13 13:36:47 Added to TrackCVE