Langflow Chained Vulnerability Allows Account Takeover and Remote Code Execution

A critical vulnerability chain has been identified in Langflow versions through 1.6.9, allowing for account takeover and remote code execution. This issue arises from an overly permissive Cross-Origin Resource Sharing (CORS) configuration that permits cross-origin requests with credentials from any origin. Additionally, the refresh token cookie is set to 'SameSite=None', enabling malicious webpages to hijack tokens by calling the refresh endpoint. Exploiting this vulnerability allows attackers to gain access to authenticated endpoints, including those with code execution capabilities, leading to full system compromise.

Impact

Successful exploitation allows for complete account takeover and remote code execution on the affected Langflow instance. This compromise extends to all sensitive access tokens and API keys stored within the Langflow workspace, potentially affecting integrated downstream services in cloud and SaaS environments.

Reproduction

To reproduce this vulnerability, deploy Langflow in a Docker container with HTTPS enabled. After logging in, a cross-origin request can be sent to the '/api/v1/refresh' endpoint using a refresh token cookie from a victim session. This request will return a new access token and refresh token, which can then be used to access authenticated endpoints and execute arbitrary code via the '/api/v1/validate/code' endpoint.

Remediation

Users can manually update their CORS settings to mitigate this vulnerability. The Langflow team has also released version 1.6.0, which introduces environment variables to customize CORS configurations. In the upcoming version 1.7, Langflow will implement more secure defaults for both CORS and the refresh token cookie.