Enterprises using the open-source AI orchestration platform Langflow are being urged to patch a high-severity path traversal flaw amid active exploitation, despite a fix having been available for more than two months.
The bug, which stems from improper handling of filenames in Langflow’s file upload functionality, can allow attackers to write files to arbitrary locations within the affected system and, under certain conditions, can be used to achieve remote code execution (RCE) on affected servers.
An added complexity is that Langflow is shipping with an auto-login behavior, allowing unauthenticated users with a valid session to reach the vulnerable endpoint without credentials.
“Langflow is...