Langflow Arbitrary File Write Vulnerability Allowing Overwrite of Files

A vulnerability in Langflow versions prior to 1.7.0 allows authenticated users to specify arbitrary file paths in the request body's 'fs_path' field. The server then serializes the Flow object into JSON and writes it to the specified path, creating or overwriting a file without any path validation or restrictions. This issue could lead to unauthorized modification of files, including configuration or log files, depending on the specified path and the application's file handling.

Impact

Exploitation of this vulnerability could result in unauthorized overwriting of files within the server's permission scope, potentially corrupting application data or disrupting normal operations. In environments with elevated privileges, there is a risk of overwriting critical system files. The vulnerability also allows base directory traversal, increasing the likelihood of impacting sensitive files.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/v1/flows/' endpoint with an arbitrary file path in the 'fs_path' field. The Flow JSON will be written to the specified path, overwriting any existing file. This can be done using a tool like curl, by including the API key in the request headers.

Remediation

Users are advised to update Langflow to version 1.7.0 or later, where this vulnerability has been fixed.