Submit #791923: Langflow <= 1.8.3 Stored Cross-Site Scriptinginfo

Title	Langflow <= 1.8.3 Stored Cross-Site Scripting
Description	# Technical Details A Stored Cross-Site Scripting (XSS) vulnerability exists in the frontend component of Langflow. The application relies on the `Markdown` component to render chat messages and flow descriptions. The configuration of this Markdown renderer explicitly enables raw HTML decoding using the `rehype-raw` plugin but crucially fails to pair it with a sanitization plugin such as `rehype-sanitize`. This oversight allows arbitrary HTML and JavaScript injected by a user to be rendered directly into the DOM of any user viewing the content. # Vulnerable Code File: `src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit-message.tsx` Method: Frontend React Component Rendering Why: The JSX block `<Markdown rehypePlugins={[rehypeMathjax, rehypeRaw]}>{processedChatMessage}</Markdown>` processes user input. By enabling `rehypeRaw` without `rehypeSanitize`, dangerous tags and attributes (like `<img onerror=...>` or `<script>`) are preserved and executed by the browser. # Reproduction 1. An authenticated attacker logs into the Langflow GUI. 2. The attacker uses the chat interface to send a message or updates a project's Flow Description. 3. The attacker injects an XSS payload, for example: `<img src=x onerror=alert('XSS_Executed')>`. 4. The backend securely stores this payload in the database without sanitization (which is expected). 5. When the attacker (or any other victim, such as a higher-privileged administrator) views the chat history or the project configuration, the victim's browser renders the malicious Markdown and executes the embedded JavaScript payload. # Impact - Session Hijacking: JavaScript execution allows attackers to steal `access_token` values stored in `LocalStorage`. - Account Takeover and Privileged Actions: Scripts can execute unauthorized asynchronous HTTP API calls on behalf of an administrator, deleting databases or altering security settings. - Persistent Risk: The payload is stored in the database, impacting every user who accesses the compromised project or chat session.
Source	⚠️ https://gist.github.com/chenhouser2025/935aa5d4556264ba408059eec0960b1a
User	Eric-f (UID 96873)
Submission	03/28/2026 14:50 (23 days ago)
Moderation	04/19/2026 15:47 (22 days later)
Status	Accepted
VulDB entry	358235 [langflow-ai langflow up to 1.8.3 Frontend React Component Rendering edit-message.tsx cross site scripting]
Points	20

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!