langflow@0.6.5a1 vulnerabilities

A Python package with a built-in web application

Direct Vulnerabilities

Known vulnerabilities in the langflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary Code Injection

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Arbitrary Code Injection through any components that provided the code functionality running on the local machine rather than a sandboxed environment. An attacker can execute arbitrary code on the host system by injecting malicious code into the components.

How to fix Arbitrary Code Injection?

There is no fixed version for langflow.

[0,)
  • M
Missing Authorization

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Missing Authorization due to improper authorization checks to verify flow ownership in upload_file function in files.py file. To exploit this vulnerability, an attacker needs valid authentication credentials but does not require elevated privileges.

Note: The attack can be carried out by sending file upload requests to the /api/v1/files/upload endpoint with a flow_id parameter corresponding to another user's flow.

How to fix Missing Authorization?

Upgrade langflow to version 1.0.19 or higher.

[,1.0.19)
  • C
Arbitrary Code Injection

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Arbitrary Code Injection via the PythonCodeTool component, due to a lack of validations.

How to fix Arbitrary Code Injection?

There is no fixed version for langflow.

[0,)
  • M
Regular Expression Denial of Service (ReDoS)

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the manipulation of the remaining_text argument. An attacker can cause a denial of service condition by sending crafted inputs.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for langflow.

[0,)
  • H
Improper Authorization

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Improper Authorization via the /api/v1/users endpoint. An attacker can gain super admin privileges by performing a mass assignment request.

How to fix Improper Authorization?

Upgrade langflow to version 1.0.13 or higher.

[,1.0.13)
  • M
Improper Input Validation

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Improper Input Validation via an unsecure /custom_component/reload endpoint.

How to fix Improper Input Validation?

Upgrade langflow to version 1.0.0a37 or higher.

[,1.0.0a37)
  • H
Improper Control of Dynamically-Managed Code Resources

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the POST /api/v1/custom_component endpoint when untrusted users provide a Python script. An attacker can execute arbitrary code on the server.

How to fix Improper Control of Dynamically-Managed Code Resources?

There is no fixed version for langflow.

[0,)