CVE-2024-42835: 
Homebrew vulnerability analysis and mitigation

Langflow version 1.0.12 contains a remote code execution (RCE) vulnerability through the PythonCodeTool component. The vulnerability was discovered and reported on July 24, 2024, and is tracked as CVE-2024-42835. The issue affects systems running Langflow v1.0.12 where the PythonCodeTool component is accessible (Github Issue).

The vulnerability exists in the PythonCodeTool component's build function, which executes Python code directly using the exec() function without proper validation. The function accepts user-controlled input through the tool_code parameter and executes it within a local namespace, allowing arbitrary code execution. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

An attacker can exploit this vulnerability to execute arbitrary code on the server where the Langflow application is deployed. This could lead to complete system compromise, allowing attackers to access sensitive data, modify system files, and potentially gain full control of the affected server (Github Issue).

As of the vulnerability disclosure, users should avoid using the PythonCodeTool component until a patch is released. System administrators should implement additional security controls and input validation mechanisms when deploying Langflow applications (Github Issue).