Langflow Missing Encryption Vulnerability in Project Creation Endpoint

A vulnerability exists in Langflow AI's project management feature, specifically in versions up to 1.8.3. The issue arises in the project creation API, where sensitive authentication data, such as API keys and passwords, is stored in plaintext instead of being encrypted. This flaw is due to the encryption function only processing a limited set of predefined fields, leaving other sensitive information exposed. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability leads to the insecure storage of sensitive authentication credentials in plaintext, creating a risk of unauthorized access to API keys and other confidential information. This exposure can occur through direct database access or via the application's project retrieval endpoints.

Reproduction

To reproduce this vulnerability, create a new project using the Langflow API's project creation endpoint. Include sensitive authentication information in the 'auth_settings' field, such as a database password. Once the project is created, retrieve it using the 'GET' project endpoint. The response will include the 'auth_settings' with the sensitive information in plaintext, demonstrating the lack of proper encryption.