langflow 1.0.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the langflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Eval Injection langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Eval Injection via the `eval_custom_component_code` function. An attacker can execute arbitrary code by supplying a crafted string that is evaluated without proper validation. How to fix Eval Injection? There is no fixed version for `langflow`.	[0,)
H Arbitrary Code Injection langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Arbitrary Code Injection via the handling of Python function components. An attacker can execute arbitrary code by introducing custom Python code into a workflow. How to fix Arbitrary Code Injection? There is no fixed version for `langflow`.	[0,)
H Unsafe Dependency Resolution langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the `exec_globals` parameter in the validate endpoint. An attacker can execute arbitrary code by supplying crafted input to this parameter. How to fix Unsafe Dependency Resolution? There is no fixed version for `langflow`.	[0,)
C Arbitrary Code Injection langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Arbitrary Code Injection via the code parameter in the `validate` endpoint. An attacker can execute arbitrary code with root privileges by sending a specially crafted request containing malicious Python code. How to fix Arbitrary Code Injection? There is no fixed version for `langflow`.	[0,)
H Deserialization of Untrusted Data langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the disk cache service. An attacker can execute arbitrary code by supplying crafted data that is deserialized without proper validation. How to fix Deserialization of Untrusted Data? There is no fixed version for `langflow`.	[0,)
C Missing Authentication for Critical Function langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Missing Authentication for Critical Function at the `/api/v1/validate/code` endpoint, which allows an attacker to execute arbitrary code by sending malicious HTTP requests. How to fix Missing Authentication for Critical Function? Upgrade `langflow` to version 1.3.0 or higher.	[,1.3.0)
H Arbitrary Code Injection langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Arbitrary Code Injection through any components that provided the code functionality running on the local machine rather than a sandboxed environment. An attacker can execute arbitrary code on the host system by injecting malicious code into the components. How to fix Arbitrary Code Injection? There is no fixed version for `langflow`.	[0,)
M Missing Authorization langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Missing Authorization due to improper authorization checks to verify flow ownership in `upload_file` function in `files.py` file. To exploit this vulnerability, an attacker needs valid authentication credentials but does not require elevated privileges. Note: The attack can be carried out by sending file upload requests to the `/api/v1/files/upload` endpoint with a `flow_id` parameter corresponding to another user's flow. How to fix Missing Authorization? Upgrade `langflow` to version 1.0.19 or higher.	[,1.0.19)
C Arbitrary Code Injection langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Arbitrary Code Injection via the `PythonCodeTool` component, due to a lack of validations. How to fix Arbitrary Code Injection? There is no fixed version for `langflow`.	[0,)
M Regular Expression Denial of Service (ReDoS) langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the manipulation of the `remaining_text` argument. An attacker can cause a denial of service condition by sending crafted inputs. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `langflow` to version 1.5.0 or higher.	[,1.5.0)
H Improper Authorization langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Improper Authorization via the `/api/v1/users` endpoint. An attacker can gain super admin privileges by performing a mass assignment request. How to fix Improper Authorization? Upgrade `langflow` to version 1.0.13 or higher.	[,1.0.13)
H Improper Control of Dynamically-Managed Code Resources langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the `POST /api/v1/custom_component` endpoint when untrusted users provide a Python script. An attacker can execute arbitrary code on the server. How to fix Improper Control of Dynamically-Managed Code Resources? Upgrade `langflow` to version 1.0.15 or higher.	[,1.0.15)

Vulnerability

Vulnerable Version

Eval Injection

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Eval Injection via the eval_custom_component_code function. An attacker can execute arbitrary code by supplying a crafted string that is evaluated without proper validation.

How to fix Eval Injection?

There is no fixed version for langflow.

[0,)

Arbitrary Code Injection

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Arbitrary Code Injection via the handling of Python function components. An attacker can execute arbitrary code by introducing custom Python code into a workflow.

How to fix Arbitrary Code Injection?

There is no fixed version for langflow.

[0,)

Unsafe Dependency Resolution

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the exec_globals parameter in the validate endpoint. An attacker can execute arbitrary code by supplying crafted input to this parameter.

How to fix Unsafe Dependency Resolution?

There is no fixed version for langflow.

[0,)

Arbitrary Code Injection

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Arbitrary Code Injection via the code parameter in the validate endpoint. An attacker can execute arbitrary code with root privileges by sending a specially crafted request containing malicious Python code.

How to fix Arbitrary Code Injection?

There is no fixed version for langflow.

[0,)

Deserialization of Untrusted Data

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the disk cache service. An attacker can execute arbitrary code by supplying crafted data that is deserialized without proper validation.

How to fix Deserialization of Untrusted Data?

There is no fixed version for langflow.

[0,)

Missing Authentication for Critical Function

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Missing Authentication for Critical Function at the /api/v1/validate/code endpoint, which allows an attacker to execute arbitrary code by sending malicious HTTP requests.

How to fix Missing Authentication for Critical Function?

Upgrade langflow to version 1.3.0 or higher.

[,1.3.0)

Arbitrary Code Injection

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Arbitrary Code Injection through any components that provided the code functionality running on the local machine rather than a sandboxed environment. An attacker can execute arbitrary code on the host system by injecting malicious code into the components.

How to fix Arbitrary Code Injection?

There is no fixed version for langflow.

[0,)

Missing Authorization

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Missing Authorization due to improper authorization checks to verify flow ownership in upload_file function in files.py file. To exploit this vulnerability, an attacker needs valid authentication credentials but does not require elevated privileges.

Note: The attack can be carried out by sending file upload requests to the /api/v1/files/upload endpoint with a flow_id parameter corresponding to another user's flow.

How to fix Missing Authorization?

Upgrade langflow to version 1.0.19 or higher.

[,1.0.19)

Arbitrary Code Injection

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Arbitrary Code Injection via the PythonCodeTool component, due to a lack of validations.

How to fix Arbitrary Code Injection?

There is no fixed version for langflow.

[0,)

Regular Expression Denial of Service (ReDoS)

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the manipulation of the remaining_text argument. An attacker can cause a denial of service condition by sending crafted inputs.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade langflow to version 1.5.0 or higher.

[,1.5.0)

Improper Authorization

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Improper Authorization via the /api/v1/users endpoint. An attacker can gain super admin privileges by performing a mass assignment request.

How to fix Improper Authorization?

Upgrade langflow to version 1.0.13 or higher.

[,1.0.13)

Improper Control of Dynamically-Managed Code Resources

langflow is an A Python package with a built-in web application

Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the POST /api/v1/custom_component endpoint when untrusted users provide a Python script. An attacker can execute arbitrary code on the server.

How to fix Improper Control of Dynamically-Managed Code Resources?

Upgrade langflow to version 1.0.15 or higher.

[,1.0.15)

langflow@1.0.6 vulnerabilities

A Python package with a built-in web application

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically