提交 #791922: Langflow <= 1.8.3 Authentication Bypass by Spoofing信息

标题	Langflow <= 1.8.3 Authentication Bypass by Spoofing
描述	# Technical Details An IP Spoofing vulnerability exists in the Model Context Protocol (MCP) configuration API of Langflow. An authenticated remote attacker can bypass a "local-only" restriction designed to prevent remote clients from modifying the server's local MCP configuration files. The application incorrectly trusts the user-supplied `X-Forwarded-For` HTTP header without validating its integrity against a trusted reverse proxy configuration, allowing an attacker to spoof the loopback address (`127.0.0.1`). # Vulnerable Code File: `src/backend/base/langflow/api/v1/mcp_projects.py` Method: `get_client_ip()` / `install_mcp_config()` Why: The `get_client_ip` function blindly reads `request.headers.get("X-Forwarded-For")` and returns the first IP in the list. The `install_mcp_config` endpoint then passes this spoofable IP into `is_local_ip()`. If the attacker injects `X-Forwarded-For: 127.0.0.1`, the security check passes and grants access to the restricted administrative functionality. # Reproduction 1. An attacker obtains valid login credentials or a bearer token (even with minimal privileges). 2. The attacker identifies a valid project ID within Langflow. 3. The attacker issues an API request to `POST /api/v1/mcp/project/<project_id>/install` from a remote machine, injecting the HTTP header `X-Forwarded-For: 127.0.0.1`. 4. The server's logic is tricked into believing the request originated from `localhost`, allowing the attacker to arbitrarily specify and write to local configuration files (like `mcp.json`). # Impact - Arbitrary Configuration Write: Remote attackers can manipulate the MCP settings for backend tools on the server's filesystem. - Security bypass: Defeats network-level boundary defenses implemented by the application logic. - Potential vector for further Server-Side attacks by injecting malicious MCP definitions into developer tools (Cursor, Windsurf) located on the same server instance.
来源	⚠️ https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3
用户	Eric-f (UID 96873)
提交	2026-03-28 14時48分 (23 日前)
管理	2026-04-19 15時47分 (22 days later)
状态	已接受
VulDB条目	358234 [langflow-ai langflow 直到 1.8.3 Model Context Protocol Configuration API mcp_projects.py get_client_ip/install_mcp_config X-Forwarded-For 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Interested in the pricing of exploits?

See the underground prices here!