IBM Langflow Desktop Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in IBM Langflow Desktop versions 1.0.0 through 1.8.4. This vulnerability allows authenticated attackers to send unauthorized requests from the Langflow server to internal or restricted network resources, such as localhost services, private IP ranges, and cloud metadata endpoints. The flaw arises because user-supplied URLs are not properly validated before being used in backend HTTP requests. Exploitation of this vulnerability could lead to unauthorized access to sensitive internal systems and data by relaying retrieved responses back through the Langflow execution flow.

Impact

Exploitation of this vulnerability could allow an authenticated attacker to access internal network resources and sensitive data by forcing the Langflow server to make arbitrary HTTP requests to those resources and relaying the responses back through the Langflow application.

Remediation

Users are advised to upgrade to IBM Langflow Desktop version 1.9.0 or newer. Instructions for downloading Langflow Desktop are available on the Langflow website.