Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.
The defense mechanism based solely on file name validation at the HTTP layer (dependency `ValidatedFileName`) can be bypassed by an appropriately crafted file name in a multipart upload request directed to the `POST /api/v2/files/` endpoint. The data storage layer (`LocalStorageService`) does not independently perform any path boundary containment checks, which constitutes an architectural flaw in the system. As a result, an attacker can perform path traversal and write a file to any location on the server, bypassing the path parameter protection. Writing a malicious file to an appropriate system location then enables arbitrary code execution (RCE).
An authenticated attacker can write arbitrary files to a chosen location on the host, which consequently leads to Remote Code Execution (RCE) and complete compromise of system confidentiality, integrity, and availability.
Update Langflow to version 1.9.0, which contains improved security implementation. Apply boundary containment checks directly in the `LocalStorageService` layer, rather than relying solely on HTTP validation.
Langflow in versions 1.2.0 to 1.8.1 (inclusive)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HLangflow
APPLangflow1.2.0 – 1.9.0 (bez)
Related vulnerabilities
Langflow: nieuwierzytelniony RCE przez endpoint budowania publicznych przepływów
Langflow: przejęcie konta i RCE przez błędną konfigurację CORS
Nieuwierzytelnione RCE w Langflow poprzez wstrzyknięcie kodu w endpoint /api/v1/validate/code
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of ...
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process...