Langflow CSV Agent Misconfiguration Enables RCE

Vulnerability Description: The CSV Agent in Langflow has a hardcoded allow_dangerous_code=True, enabling the Python REPL tool (python_repl_ast). This allows attackers to inject and execute arbitrary OS commands, leading to RCE.
PoC Significance: The PoC demonstrates that an attacker can trigger RCE by sending specific prompts, highlighting critical security flaws in Langflow's default configuration.
Detection Guidance: Monitor for unauthorized use of python_repl_ast actions and unexpected system commands in logs. Implement strict access controls on the CSV Agent.
Mitigation Steps: Disable allow_dangerous_code by default, provide a toggle for it, and regularly audit Langflow configurations.
Risk Assessment: High likelihood of exploitation due to ease of attack vectors; critical risk as RCE can lead to full system compromise.