AgentFlow Arbitrary Code Execution Vulnerability via User-Controlled pipeline_path

A vulnerability allowing arbitrary code execution has been identified in AgentFlow. This issue arises from the application's handling of the pipeline_path parameter in POST requests to the /api/runs and /api/runs/validate endpoints. By supplying a crafted pipeline_path, attackers can execute local Python pipeline files, leading to code execution in the context of the user running AgentFlow.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where AgentFlow is running.

Reproduction

To reproduce this vulnerability, first ensure that the AgentFlow application is running and the local web API is active. By default, the API does not allow loading pipelines from filesystem paths. However, this can be enabled by setting the AGENTFLOW_API_ALLOW_PIPELINE_PATH environment variable to '1' when starting the application. Once the API is configured to allow pipeline path loading, send a POST request to either the /api/runs or /api/runs/validate endpoint with a JSON payload that includes a pipeline_path parameter pointing to a local Python pipeline file. The API will then load and execute the specified pipeline, resulting in arbitrary code execution.

Remediation

Users can disable the vulnerable functionality by not enabling the AGENTFLOW_API_ALLOW_PIPELINE_PATH environment variable. The latest version of AgentFlow, which includes a patch for this vulnerability, can be downloaded from the AgentFlow GitHub repository.