CVE-2025-34291 | Langflow | AT
| Field | Details |
|---|---|
| Vulnerability | CVE-2025-34291 |
| Type | Origin Validation Error (CWE-346) / Account Takeover / Remote Code Execution |
| Description | A critical vulnerability in Langflow (versions 1.6.9 and earlier) allowing for complete account takeover and remote code execution. The flaw stems from an overly permissive Cross-Origin Resource Sharing (CORS) configuration combined with a lack of CSRF protection on the token refresh endpoint. |
| Affected Systems | Langflow versions up to and including 1.6.9 |
| Attack Vector | Remote (Network) via User Interaction. The attack is triggered when an authenticated victim visits a malicious webpage controlled by the attacker (Drive-by compromise). |
| Exploit Mechanism | 1. Credential Theft: The attacker hosts a malicious site. When a victim visits, the site sends a cross-origin request to the Langflow refresh endpoint. Due to permissive CORS (allow_origins='*') and SameSite=None cookies, the browser includes the victim’s session cookies.2. RCE: The attacker receives a valid access_token and refresh_token, which are used to authenticate against the API and invoke the built-in code validation endpoint to execute arbitrary Python code. |
| Impact of the Bug | Critical (CVSS 9.4). Successful exploitation results in full system compromise. Attackers can execute arbitrary code on the server, steal sensitive data, and hijack user sessions. |
| Detection Techniques | Review Langflow configuration files or environment variables for the LANGFLOW_CORS_ORIGINS setting. If it is set to * (wildcard) or missing (defaulting to permissive in older versions), the instance is vulnerable. |
| How to Detect if Exploited | Monitor access logs for requests to the /api/v1/refresh endpoint originating from unexpected or external Referer / Origin headers. Audit logs for unexpected execution of Python code or creation of custom components by users at unusual times. |
| Mitigation Steps | Upgrade: Upgrade to Langflow version 1.7.0 or later, which enforces stricter origin validation by default. Configuration: Explicitly define trusted domains using the LANGFLOW_CORS_ORIGINS environment variable rather than using the wildcard *. |
| Workaround if Available | If immediate patching is not possible, manually restrict the Cross-Origin Resource Sharing (CORS) policy by setting LANGFLOW_CORS_ORIGINS to the specific domain(s) where Langflow is hosted, preventing cross-origin requests from arbitrary attacker sites. |
| References | - https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform - https://nvd.nist.gov/vuln/detail/CVE-2025-34291 - https://github.com/advisories/GHSA-577h-p2hh-v4mv |