Attack Chain

1. An attacker authenticates to the Langflow application.
2. The attacker crafts a malicious request to the DELETE /api/v1/knowledge_bases endpoint.
3. The kb_names parameter in the request contains a path traversal sequence, such as ../victim_user/kb_name.
4. The delete_knowledge_bases_bulk function in src/backend/base/langflow/api/v1/knowledge_bases.py receives the malicious input.
5. The application constructs a file path by directly concatenating the user-supplied kb_names parameter without proper sanitization.
6. The shutil.rmtree() function is called with the crafted file path, attempting to recursively delete the directory.
7. Due to the path traversal sequence, the deletion occurs outside the intended user directory.
8. Arbitrary directories on the server are deleted, leading to data loss, service disruption, or cross-user data compromise.

Impact

Successful exploitation of this vulnerability can have severe consequences. An attacker could delete critical system files, causing service disruption. They could also delete other users’ knowledge base data, leading to a cross-user data compromise. Because the application has write access, they can traverse to any directory on the entire filesystem accessible to the Langflow service account. The vulnerability impacts any Langflow instance exposing the vulnerable endpoint to authenticated users.

Recommendation

• Upgrade Langflow to a version that includes the fix from PR #12243 and subsequent backports from PR #12337.
• Monitor web server logs for requests to the DELETE /api/v1/knowledge_bases endpoint containing path traversal sequences like ../ to detect exploitation attempts. Use the Sigma rule for detection of path traversal attempts.
• Implement strict input validation and sanitization for all user-supplied parameters, especially those used in file path construction.