langflow-base 0.9.3

Direct Vulnerabilities

Known vulnerabilities in the langflow-base package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the `install_mcp_config` function in the Model Context Protocol Configuration API when processing the `X-Forwarded-For` argument. An authenticated user can execute arbitrary code or inject malicious input by supplying crafted data to this argument. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? There is no fixed version for `langflow-base`.	[0,)
M Missing Authorization Affected versions of this package are vulnerable to Missing Authorization via the `download_image` endpoint. An attacker can access and download image files belonging to any flow by knowing or guessing the flow ID and file name. How to fix Missing Authorization? There is no fixed version for `langflow-base`.	[0,)
H Missing Authorization Affected versions of this package are vulnerable to Missing Authorization via the `logs` and `logs-stream` endpoints. An attacker can access sensitive application log data by authenticating with basic user privileges, as these endpoints do not enforce privilege checks. How to fix Missing Authorization? There is no fixed version for `langflow-base`.	[0.0.83,)
H Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the disk cache service. An attacker can execute arbitrary code by supplying crafted data that is deserialized without proper validation. How to fix Deserialization of Untrusted Data? There is no fixed version for `langflow-base`.	[0,)
C Origin Validation Error Affected versions of this package are vulnerable to Origin Validation Error via an overly permissive CORS configuration in the `refresh` endpoint. An attacker can gain unauthorized access to authentication tokens and execute arbitrary code by enticing a victim to visit a malicious webpage that performs cross-origin requests with credentials. Note: The option was added in version 0.6.0 (used in langflow 1.6.x) to restrict allowed origins with `LANGFLOW_CORS_ORIGINS`. This will become the default behavior, with permissive settings (`origins = *`) being opt-in, in a future release. How to fix Origin Validation Error? There is no fixed version for `langflow-base`.	[0,)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the install_mcp_config function in the Model Context Protocol Configuration API when processing the X-Forwarded-For argument. An authenticated user can execute arbitrary code or inject malicious input by supplying crafted data to this argument.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?