Limshow

**Name of the Vulnerable Software and Affected Versions** langflow-ai langflow versions prior to 1.8.5 **Description** An issue in the Full Builtins Module Handler allows for remote command injection. This occurs within the `CodeParser.parse callable details()` function located in the `src/lfx/src/lfx/custom/code parser/code parser.py` file. Command injection is a flaw that allows an attacker to execute arbitrary operating system commands on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the `CodeParser.parse callable details()` function to minimize the risk of exploitation.