Langflow Unauthenticated Remote Code Execution Vulnerability via Public Flow Build Endpoint

A remote code execution vulnerability has been identified in Langflow, a tool for creating AI-powered agents and workflows. This issue affects versions of Langflow through 1.8.1. The vulnerability arises in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is intended to allow the creation of public flows without authentication. However, when the optional data parameter is used, the endpoint accepts flow data controlled by the attacker, including arbitrary Python code, instead of the original flow data stored in the database. This injected code is executed via exec() without any sandboxing, leading to unauthenticated remote code execution. The vulnerability is particularly concerning because it can be exploited by an unauthenticated attacker who knows the UUID of a public flow.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with full privileges to the server process. This could lead to a complete compromise of the server, including arbitrary file read/write capabilities, execution of commands, and exfiltration of environment variables such as API keys and database credentials. The vulnerability could also be exploited to gain reverse shell access for persistent access or to move laterally within a network.

Reproduction

To reproduce this vulnerability, first create a public flow in a Langflow instance running a vulnerable version. Then, send a POST request to the /api/v1/build_public_tmp/{flow_id}/flow endpoint, including a client_id cookie and a data parameter that contains malicious flow data with executable Python code. The server will process the request, execute the injected code, and confirm the successful exploitation by checking for the execution of the injected payload.

Remediation

Langflow has released a patch in version 1.9.0. Users should update to this version to address the vulnerability.