External risk intelligence

Langflow account takeover and code execution vulnerability affects customer data and systems.

CVE advisoryKnown Exploit

CVE-2025-34291

A critical flaw in Langflow lets attackers steal user sessions and run malicious code, potentially compromising your systems and data by exploiting a web configuration weakness.

4Halo Surface Signal

Remote Code Execution

Langflow

1.6.9 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2025-34291

Langflow is a web-based application platform designed for team access and workflow management. As a web interface that manages user sessions and dashboards, it is typically deployed as a network-reachable service, creating an attack surface that is commonly exposed within internal networks or via internet-accessible web application configurations.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Langflow allows unauthorized users to take over accounts and execute malicious code. This issue stems from an insecure web configuration that permits malicious websites to steal session tokens. Once a token is stolen, an attacker can access all authenticated features, including code execution, leading to full system compromise.

  • Malicious websites can steal user tokens.
  • Attackers can execute arbitrary code.
  • This impacts systems that use Langflow.

Attack Path

How an attacker could exploit the issue

An attacker can leverage this vulnerability by tricking a victim into visiting a malicious webpage. This webpage will then exploit the overly permissive CORS configuration to steal the victim's session tokens. With these stolen tokens, the attacker can access authenticated endpoints, including those that allow code execution, to achieve full system compromise.

  • Attacker hosts malicious site.
  • Victim visits attacker site.
  • Stolen tokens grant RCE.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is attractive to attackers due to its potential for account takeover and remote code execution, allowing for full system compromise. The ease of exploitation, requiring only a malicious webpage and a victim's session, makes it a prime target. Its inclusion on the CISA KEV catalog indicates observed exploitation.

  • Listed on CISA KEV catalog.
  • Publicly available exploits exist.
  • Recency signals suggest active exploitation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking traffic to any identified Langflow instances, as this critical vulnerability allows unauthenticated attackers to take over accounts and execute arbitrary code. Given that this vulnerability is actively exploited and has a high CVSS score, immediate containment is crucial if patching cannot be performed. Focus on identifying all instances and isolating them from the network until they can be secured or removed.

  • Block network access to affected services.
  • Update Langflow to a patched version.
  • Monitor for suspicious authenticated activity.

Frequently asked questions

What is Langflow and its primary function in AI development?

Langflow is a platform used for building and managing AI agent workflow applications. It offers a visual interface that enables users to develop, experiment with, and deploy AI-powered workflows.

What type of weakness does CVE-2025-34291 represent?

CVE-2025-34291 is related to an origin validation error (CWE-346). This occurs when a web application incorrectly validates the origin of incoming requests, permitting unintended interactions between different web domains.

How can an attacker exploit this Langflow vulnerability?

An attacker can exploit this by creating a malicious webpage. This page, by leveraging an overly permissive CORS configuration combined with a SameSite=None refresh token cookie, can perform cross-origin requests with credentials. Successfully calling the refresh endpoint allows the attacker to obtain new access and refresh tokens for a victim's session.

What is the significance of CVE-2025-34291 being on the CISA Known Exploited Vulnerabilities catalog?

CVE-2025-34291 is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating that it has been observed in active exploitation. This elevates its priority for remediation due to the demonstrated threat of account takeover and remote code execution.

What are the recommended immediate actions for systems affected by this vulnerability?

Immediate actions should include blocking network access to identified Langflow instances to contain the threat, especially if immediate patching is not feasible. It is crucial to identify all affected instances and isolate them until they can be secured, which involves updating Langflow to a patched version and monitoring for any suspicious authenticated activity.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified