提交 #791923: Langflow <= 1.8.3 Stored Cross-Site Scripting信息

标题	Langflow <= 1.8.3 Stored Cross-Site Scripting
描述	# Technical Details A Stored Cross-Site Scripting (XSS) vulnerability exists in the frontend component of Langflow. The application relies on the `Markdown` component to render chat messages and flow descriptions. The configuration of this Markdown renderer explicitly enables raw HTML decoding using the `rehype-raw` plugin but crucially fails to pair it with a sanitization plugin such as `rehype-sanitize`. This oversight allows arbitrary HTML and JavaScript injected by a user to be rendered directly into the DOM of any user viewing the content. # Vulnerable Code File: `src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit-message.tsx` Method: Frontend React Component Rendering Why: The JSX block `<Markdown rehypePlugins={[rehypeMathjax, rehypeRaw]}>{processedChatMessage}</Markdown>` processes user input. By enabling `rehypeRaw` without `rehypeSanitize`, dangerous tags and attributes (like `<img onerror=...>` or `<script>`) are preserved and executed by the browser. # Reproduction 1. An authenticated attacker logs into the Langflow GUI. 2. The attacker uses the chat interface to send a message or updates a project's Flow Description. 3. The attacker injects an XSS payload, for example: `<img src=x onerror=alert('XSS_Executed')>`. 4. The backend securely stores this payload in the database without sanitization (which is expected). 5. When the attacker (or any other victim, such as a higher-privileged administrator) views the chat history or the project configuration, the victim's browser renders the malicious Markdown and executes the embedded JavaScript payload. # Impact - Session Hijacking: JavaScript execution allows attackers to steal `access_token` values stored in `LocalStorage`. - Account Takeover and Privileged Actions: Scripts can execute unauthorized asynchronous HTTP API calls on behalf of an administrator, deleting databases or altering security settings. - Persistent Risk: The payload is stored in the database, impacting every user who accesses the compromised project or chat session.
来源	⚠️ https://gist.github.com/chenhouser2025/935aa5d4556264ba408059eec0960b1a
用户	Eric-f (UID 96873)
提交	2026-03-28 14時50分 (24 日前)
管理	2026-04-19 15時47分 (22 days later)
状态	已接受
VulDB条目	358235 [langflow-ai langflow 直到 1.8.3 Frontend React Component Rendering edit-message.tsx 跨网站脚本]
积分	20

◂ 上一步一览下一步 ▸

Do you know our Splunk app?

Download it now for free!