CVE-2024-48061

Vulnerability

Langflow versions up to 1.0.18 are vulnerable to Remote Code Execution (RCE) because components that execute code are run directly on the host system without any sandboxing or isolation mechanism [1]. The official description confirms that “any component provided the code functionality and the components run on the local machine rather than in a sandbox” [2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the api/v1/validate/code endpoint. As demonstrated in a public proof of concept, the exec function is called when processing ast.FunctionDef nodes, allowing arbitrary Python code execution through default parameter expressions [4]. The API does not require authentication, making the attack surface broad for any publicly exposed Langflow instance [4].

Impact

Successful exploitation grants an attacker arbitrary command execution on the server running Langflow, potentially leading to unauthorized access, data exfiltration, system compromise, or a reverse shell [1][4]. The vulnerability is classified as Remote Code Execution with no authentication required.

Mitigation

As of the publication date, the vendor has not released a patched version beyond 1.0.18. Users are advised to restrict network access to the Langflow API, avoid exposing it to the internet, and monitor for security updates [3]. There are no known workarounds that fully address the missing sandboxing.