The issue stems from a missing validation of the pip...
Critical severity
Unreviewed
Published
Dec 12, 2024
to the GitHub Advisory Database
•
Updated Dec 12, 2024
Description
Published by the National Vulnerability Database
Dec 12, 2024
Published to the GitHub Advisory Database
Dec 12, 2024
Last updated
Dec 12, 2024
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.
References