VYPR
Critical severity10.0OSV Advisory· Published Dec 12, 2024· Updated Apr 15, 2026

CVE-2024-21574

CVE-2024-21574

Description

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.

Affected products

2
  • 2.48.1, 2.48.2, 2.48.3, …+ 1 more
    • (no CPE)range: 2.48.1, 2.48.2, 2.48.3, …
    • (no CPE)

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.