Critical severity10.0OSV Advisory· Published Dec 12, 2024· Updated Apr 15, 2026
CVE-2024-21574
CVE-2024-21574
Description
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.
Affected products
22.48.1, 2.48.2, 2.48.3, …+ 1 more
- (no CPE)range: 2.48.1, 2.48.2, 2.48.3, …
- (no CPE)
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.