|
1 | | -# 🛡️ Langflow Security Policy & Responsible Disclosure |
2 | | - |
3 | | -## Security Policy |
| 1 | +# Langflow Security Policy & Responsible Disclosure |
4 | 2 |
|
5 | 3 | This security policy applies to all public projects under the langflow-ai organization on GitHub. We prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. |
6 | 4 |
|
7 | 5 | ### Security/Bugfix Versions |
8 | 6 |
|
9 | | -- Fixes are released either as part of the next minor version (e.g., 1.3.0 → 1.4.0) or as an on-demand patch version (e.g., 1.3.0 → 1.3.1) |
10 | | -- Security fixes are given priority and might be enough to cause a new version to be released |
11 | | - |
12 | | -## Reporting a Vulnerability |
13 | | - |
14 | | -We encourage responsible disclosure of security vulnerabilities. If you find something suspicious, we encourage and appreciate your report! |
15 | | - |
16 | | -### How to Report |
17 | | - |
18 | | -Use the "Report a vulnerability" button under the "Security" tab of the [Langflow GitHub repository](https://github.com/langflow-ai/langflow/security). This creates a private communication channel between you and the maintainers. |
19 | | - |
20 | | -### Reporting Guidelines |
21 | | - |
22 | | -- Provide clear details to help us reproduce and fix the issue quickly |
23 | | -- Include steps to reproduce, potential impact, and any suggested fixes |
24 | | -- Your report will be kept confidential, and your details will not be shared without your consent |
25 | | - |
26 | | -### Response Timeline |
27 | | - |
28 | | -- We will acknowledge your report within 5 business days |
29 | | -- We will provide an estimated resolution timeline |
30 | | -- We will keep you updated on our progress |
31 | | - |
32 | | -### Disclosure Guidelines |
33 | | - |
34 | | -- Do not publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users |
35 | | -- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least 30 days in advance for review |
36 | | -- Avoid including: |
37 | | - - Data from any Langflow customer projects |
38 | | - - Langflow user/customer information |
39 | | - - Details about Langflow employees, contractors, or partners |
40 | | - |
41 | | -We appreciate your efforts in helping us maintain a secure platform and look forward to working together to resolve any issues responsibly. |
42 | | - |
43 | | -## Known Vulnerabilities |
44 | | - |
45 | | -### Server-Side Request Forgery (SSRF) in API Request Component (Fixed in 1.7.1) |
46 | | - |
47 | | -Langflow's [API Request component](https://docs.langflow.org/api-request) allows arbitrary HTTP requests within a flow. In versions < 1.7.1, this component did not block private IP ranges (`127.0.0.1`, `10/172/192` ranges) or cloud metadata endpoints (`169.254.169.254`), enabling Server-Side Request Forgery (SSRF) attacks. |
48 | | - |
49 | | -**Potential security impact:** |
50 | | -- Attackers with API key access can access internal administrative endpoints, metadata services, and internal databases/services |
51 | | -- Foothold for attacking internal services by abusing inter-service trust |
52 | | -- Non-blind SSRF: Response bodies are returned to the client, enabling immediate data exfiltration |
53 | | - |
54 | | -**CVE**: [CVE-2025-68477](https://nvd.nist.gov/vuln/detail/CVE-2025-68477) |
55 | | -**GitHub Advisory**: [GHSA-5993-7p27-66g5](https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5) |
56 | | -**Fixed in**: Langflow >= 1.7.1 |
57 | | - |
58 | | -### External Control of File Name or Path (Fixed in 1.7.1) |
59 | | - |
60 | | -When creating a flow through the [`/api/v1/flows/`](https://docs.langflow.org/api-flows) endpoint, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the flow object into JSON and creates/overwrites a file at that path. In versions < 1.7.1, there is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., `/etc/poc.txt`) are interpreted as-is. |
61 | | - |
62 | | -**Potential security impact:** |
63 | | -- Authenticated arbitrary file write (within server permission scope): Risk of corrupting configuration/log/task files, disrupting application behavior, and tampering with files read by other components |
64 | | -- Both absolute and relative paths are allowed, enabling base directory traversal |
65 | | -- Risk of overwriting system files increases in environments with root privileges or weak mount/permission settings |
66 | | -- File content is limited to Flow JSON, but impact is severe if the target file is parsed by a JSON parser or subject to subsequent processing |
67 | | - |
68 | | -**CVE**: [CVE-2025-68478](https://nvd.nist.gov/vuln/detail/CVE-2025-68478) |
69 | | -**GitHub Advisory**: [GHSA-f43r-cc68-gpx4](https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4) |
70 | | -**Fixed in**: Langflow >= 1.7.1 |
71 | | - |
72 | | -### Environment Variable Loading Bug (Fixed in 1.6.4) |
73 | | - |
74 | | -Langflow versions `1.6.0` through `1.6.3` have a critical bug where environment variables from `.env` files are not being read. This affects all deployments using environment variables for configuration, including security settings. |
75 | | - |
76 | | -**Potential security impact:** |
77 | | - |
78 | | -- Environment variables from `.env` files are not read. |
79 | | -- Security configurations like `AUTO_LOGIN=false` may not be applied, potentially allowing users to log in as the default superuser. |
80 | | -- Database credentials, API keys, and other sensitive configuration may not be loaded. |
81 | | - |
82 | | -**DO NOT** upgrade to Langflow versions `1.6.0` through `1.6.3` if you use `.env` files for configuration. Instead, upgrade to version `1.6.4`, which includes a fix for this bug. |
83 | | - |
84 | | -**Fixed in**: Langflow >= 1.6.4 |
85 | | - |
86 | | -### Code Execution Vulnerability (Fixed in 1.3.0) |
87 | | - |
88 | | -Langflow allows users to define and run **custom code components** through endpoints like `/api/v1/validate/code`. In versions < 1.3.0, this endpoint did not enforce authentication or proper sandboxing, allowing **unauthenticated arbitrary code execution**. |
89 | | - |
90 | | -This means an attacker could send malicious code to the endpoint and have it executed on the server—leading to full system compromise, including data theft, remote shell access, or lateral movement within the network. |
91 | | - |
92 | | -**CVE**: [CVE-2025-3248](https://nvd.nist.gov/vuln/detail/CVE-2025-3248) |
93 | | -**Fixed in**: Langflow >= 1.3.0 |
94 | | - |
95 | | -### Privilege Escalation via CLI Superuser Creation (Fixed in 1.5.1) |
96 | | - |
97 | | -A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command `langflow superuser` to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. |
98 | | - |
99 | | -**CVE**: [CVE-2025-57760](https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r) |
100 | | -**Fixed in**: Langflow >= 1.5.1 |
101 | | - |
102 | | -### Arbitrary Code Execution in LangChain CSV Agent |
103 | | - |
104 | | -The **CSV Agent** component (LangChain bundle) uses the `langchain-experimental` CSV agent, which can execute Python code generated by the LLM at runtime, such as to analyze the CSV with `pandas`. |
105 | | -This code runs in-process on the server and can perform any action the process can. |
106 | | - |
107 | | -For more information, see [LangChain bundle documentation](https://docs.langflow.org/bundles-langchain#csv-agent). |
108 | | - |
109 | | -**CVE:** [CVE-2024-21513](https://nvd.nist.gov/vuln/detail/CVE-2024-21513) (langchain-experimental arbitrary code execution). |
110 | | -**Fixed in**: Langflow >= 1.8.0 |
111 | | - |
112 | | -### No API key required if running Langflow with `LANGFLOW_AUTO_LOGIN=true` and `LANGFLOW_SKIP_AUTH_AUTO_LOGIN=true` |
113 | | - |
114 | | -In Langflow versions earlier than 1.5, if `LANGFLOW_AUTO_LOGIN=true`, then Langflow automatically logs users in as a superuser without requiring authentication. In this case, API requests don't require a Langflow API key. |
115 | | - |
116 | | -In Langflow version 1.5, a Langflow API key is required to authenticate requests. |
117 | | -Setting `LANGFLOW_SKIP_AUTH_AUTO_LOGIN=true` and `LANGFLOW_AUTO_LOGIN=true` skips authentication for API requests. However, the `LANGFLOW_SKIP_AUTH_AUTO_LOGIN` option will be removed in v1.6. |
118 | | - |
119 | | -`LANGFLOW_SKIP_AUTH_AUTO_LOGIN=true` is the default behavior, so users do not need to change existing workflows in 1.5. To update your workflows to require authentication, set `LANGFLOW_SKIP_AUTH_AUTO_LOGIN=false`. |
120 | | - |
121 | | -For more information, see [API keys and authentication](https://docs.langflow.org/api-keys-and-authentication). |
122 | | - |
123 | | -## Security Configuration Guidelines |
124 | | - |
125 | | -### Superuser Creation Security |
126 | | - |
127 | | -The `langflow superuser` CLI command can present a privilege escalation risk if not properly secured. |
128 | | - |
129 | | -#### Security Measures |
130 | | - |
131 | | -1. **Authentication Required in Production** |
132 | | - |
133 | | - - When `LANGFLOW_AUTO_LOGIN=false`, superuser creation requires authentication |
134 | | - - Use `--auth-token` parameter with a valid superuser API key or JWT token |
135 | | - |
136 | | -2. **Disable CLI Superuser Creation** |
137 | | - |
138 | | - - Set `LANGFLOW_ENABLE_SUPERUSER_CLI=false` to disable the command entirely |
139 | | - - Strongly recommended for production environments |
140 | | - |
141 | | -3. **Secure AUTO_LOGIN Setting** |
142 | | - - Default is `true` for <=1.5. This may change in a future release. |
143 | | - - When `true`, creates default superuser `langflow/langflow` - **ONLY USE IN DEVELOPMENT** |
144 | | - |
145 | | -#### Production Security Configuration |
146 | | - |
147 | | -```bash |
148 | | -# Recommended production settings |
149 | | -export LANGFLOW_AUTO_LOGIN=false |
150 | | -export LANGFLOW_ENABLE_SUPERUSER_CLI=false |
151 | | -export LANGFLOW_SUPERUSER="<your-superuser-username>" |
152 | | -export LANGFLOW_SUPERUSER_PASSWORD="<your-superuser-password>" |
153 | | -export LANGFLOW_DATABASE_URL="<your-production-database-url>" # e.g. "postgresql+psycopg://langflow:secure_pass@db.internal:5432/langflow" |
154 | | -export LANGFLOW_SECRET_KEY="your-strong-random-secret-key" |
155 | | -``` |
156 | | - |
157 | | -## Secret Key Rotation |
158 | | - |
159 | | -The `LANGFLOW_SECRET_KEY` is used for: |
160 | | - |
161 | | -- **JWT signing**: Access tokens, refresh tokens |
162 | | -- **Fernet encryption**: Stored credentials, encrypted variables, MCP auth settings |
163 | | - |
164 | | -User passwords use bcrypt and are **not affected** by key rotation. |
165 | | - |
166 | | -### Running the Migration |
167 | | - |
168 | | -```bash |
169 | | -# Stop Langflow first, then: |
170 | | - |
171 | | -# Preview what will be migrated |
172 | | -uv run python scripts/migrate_secret_key.py --dry-run |
173 | | - |
174 | | -# Run the migration |
175 | | -uv run python scripts/migrate_secret_key.py |
176 | | - |
177 | | -# Start Langflow |
178 | | -``` |
179 | | - |
180 | | -The script will: |
181 | | - |
182 | | -1. Read your current secret key from the config directory |
183 | | -2. Generate a new secret key |
184 | | -3. Re-encrypt all sensitive data in the database (atomic transaction) |
185 | | -4. Backup the old key to `<config-dir>/secret_key.backup.<timestamp>` |
186 | | -5. Save the new key to `<config-dir>/secret_key` |
187 | | - |
188 | | -If the database migration fails, no changes are made - the transaction rolls back and the key files remain untouched. |
189 | | - |
190 | | -### Config Directory Location |
191 | | - |
192 | | -The default config directory varies by platform: |
193 | | - |
194 | | -- **macOS**: `~/Library/Caches/langflow` |
195 | | -- **Linux**: `~/.cache/langflow` |
196 | | -- **Windows**: `C:\Users\<user>\AppData\Local\langflow\langflow\Cache` |
197 | | - |
198 | | -Override with `LANGFLOW_CONFIG_DIR` environment variable or `--config-dir` flag. |
199 | | - |
200 | | -### CLI Options |
201 | | - |
202 | | -``` |
203 | | -uv run python scripts/migrate_secret_key.py --help |
204 | | -
|
205 | | -Options: |
206 | | - --dry-run Preview changes without modifying anything |
207 | | - --config-dir PATH Langflow config directory (default: platform-specific) |
208 | | - --database-url URL Database connection URL (default: sqlite in config dir) |
209 | | - --old-key KEY Current secret key (default: read from config dir) |
210 | | - --new-key KEY New secret key (default: auto-generated) |
211 | | -``` |
212 | | - |
213 | | -### What Gets Migrated |
214 | | - |
215 | | -| Location | Data | Notes | |
216 | | -| ---------------------- | -------------------------------- | ---------------- | |
217 | | -| `user.store_api_key` | Langflow Store API key | Fernet encrypted | |
218 | | -| `variable.value` | All variable values | Fernet encrypted | |
219 | | -| `folder.auth_settings` | MCP oauth_client_secret, api_key | Fernet encrypted | |
220 | | - |
221 | | -### What Gets Invalidated |
222 | | - |
223 | | -Even with migration, these cannot be preserved: |
| 7 | +- Fixes are released either as part of the next minor version (e.g., 1.3.0 → 1.4.0) or as an on-demand patch version (e.g., 1.3.0 → 1.3.1). |
| 8 | +- Security fixes are given priority and might be enough to cause a new version to be released. |
224 | 9 |
|
225 | | -- **Active sessions**: Users must log in again (JWT tokens are invalidated) |
| 10 | +## Report a vulnerability |
226 | 11 |
|
| 12 | +Please do not report security vulnerabilities through public GitHub issues or GitHub security advisories. |
| 13 | +To report a vulnerability, submit a report on [HackerOne](https://hackerone.com/ibm). |
| 14 | +Include a clear description of the issue, steps to reproduce, the Langflow version, and any known or suggested mitigations. |
| 15 | +Our team aims to respond to all new vulnerability reports within **7 business days**. |
0 commit comments