Langflow Command Injection Vulnerability in Full Builtins Module Handler

A command injection vulnerability exists in Langflow AI versions through 1.8.4, specifically within the Full Builtins Module Handler. The issue arises in the CodeParser.parse_callable_details function, located in src/lfx/src/lfx/custom/code_parser/code_parser.py. The vulnerability allows remote code execution by exploiting the eval() function, which executes unvalidated strings as Python code. This exploitation is possible because the evaluation environment does not restrict access to built-in functions, enabling the execution of arbitrary commands.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Langflow is running.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the custom_component endpoint with a token. The request should include a payload that exploits the CodeParser.parse_callable_details method by injecting a malicious expression into the return type annotation of a function. When the CodeParser processes the annotation, the eval() function will execute the injected code, leading to command injection.

Remediation

Users can update to Langflow version 1.8.5 or later, where this vulnerability has been fixed.