Langflow Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Langflow versions through 1.8.3. The issue arises in the frontend React component responsible for rendering chat messages and flow descriptions. The vulnerability is rooted in the 'MarkdownField' component, which, while allowing raw HTML through the 'rehype-raw' plugin, neglects to sanitize this input. This flaw enables authenticated users to inject malicious JavaScript that is saved in the database and executed in the browsers of users who view the affected content.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript, leading to session hijacking by stealing access tokens from LocalStorage. It also enables unauthorized actions by executing API calls on behalf of the victim, such as deleting projects or modifying settings. Additionally, in a shared environment, a compromised flow can affect all administrators who access it.

Reproduction

The vulnerability can be reproduced by logging into Langflow and sending a chat message or updating a project's flow description with an XSS payload, such as an image tag with an 'onerror' event. Once saved, the payload executes when the message or project is viewed.