Langflow Information Disclosure Vulnerability in Flow Using API Component

A vulnerability allowing information disclosure has been identified in Langflow versions through 1.8.3. The issue arises in the Flow Using API component, specifically within the `remove_api_keys` function in `src/backend/base/langflow/api/utils/core.py`. This function fails to properly redact sensitive information, such as API keys and passwords, when exporting flow data. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability leads to an information leak, where sensitive credentials, including database passwords and third-party service secrets, are exposed in exported flow JSON files. This could allow unauthorized access to integrated external services or infrastructure.

Reproduction

To reproduce this vulnerability, create a flow that includes a sensitive field named 'password' or similar, ensuring it is marked as a password. Once the flow is saved, download it using the Langflow API. The exported JSON will contain the unredacted password, demonstrating the information leak.