Langflow Agentic Assistant Arbitrary Server-Side Code Execution Vulnerability

A vulnerability in the Agentic Assistant feature of Langflow, prior to version 1.9.0, allows for arbitrary execution of Python code on the server. This issue arises during the validation phase of LLM-generated component code, where the implementation inadvertently executes the code dynamically and instantiates the generated class on the server side. In environments where an attacker can access the Agentic Assistant and influence the model's output, this could lead to unauthorized execution of Python code with potential for significant impact.

Impact

Exploitation of this vulnerability allows for authenticated or feature-reachable arbitrary code execution on the server, with risks including OS command execution, file manipulation, disclosure of credentials or secrets, and a complete compromise of the Langflow process.

Reproduction

To reproduce this vulnerability, send a request to the Agentic Assistant endpoint with input that prompts the model to generate malicious component code. Once the code is returned, it will be processed through the validation pipeline, where it is extracted and executed on the server. This can be done via the '/assist' endpoint or the '/assist/stream' endpoint, depending on how the request is classified.

Remediation

Users should update to Langflow version 1.9.0 or later, where this vulnerability has been addressed.