CVE-2024-21574P2CRITICALCVSS 10.0fixed in 2.51.12024-12-12
CVE-2024-21574 [CRITICAL] CWE-94 CVE-2024-21574: The issue stems from a missing validation of the pip field in a POST request sent to the /customnode
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the
nvd