Critical Langflow Vulnerability: Account Takeover and Remote Code Execution (CVE-2025-34291)

by

Overview

A critical vulnerability, identified as CVE-2025-34291, has been discovered in Langflow, an AI agent workflow platform. This chained vulnerability affects versions up to and including 1.6.9, potentially allowing attackers to gain full control of affected systems through account takeover and remote code execution (RCE).

Technical Details

The vulnerability stems from a combination of two critical misconfigurations:

  • Overly Permissive CORS Configuration: The `allow_origins=’*’` setting, combined with `allow_credentials=True`, allows any origin to make cross-origin requests to the Langflow application.
  • `SameSite=None` Cookie for Refresh Token: The refresh token cookie is configured with `SameSite=None`, making it accessible in cross-site requests.

This combination enables a malicious webpage to perform cross-origin requests that include the victim’s refresh token cookie. By calling the refresh endpoint, the attacker can obtain a fresh set of access and refresh tokens for the victim’s session. Because Langflow includes built-in code execution functionality accessible to authenticated users, the attacker can then use the stolen access token to execute arbitrary code on the server.

In short, the attack flow is as follows:

  1. Attacker hosts a malicious webpage.
  2. Victim visits the malicious webpage while logged into Langflow.
  3. Malicious webpage leverages the CORS misconfiguration to send a request to the Langflow refresh token endpoint, including the victim’s refresh token cookie.
  4. Langflow server, due to the permissive CORS policy, responds with a new access token and refresh token.
  5. Malicious webpage captures these tokens.
  6. Attacker uses the captured access token to access authenticated endpoints in Langflow, including the code execution functionality.
  7. Attacker executes arbitrary code, leading to full system compromise.

CVSS Analysis

Due to missing information, we are unable to perform a proper CVSS score calculation. However, given the potential for account takeover and remote code execution, this vulnerability is considered highly critical and likely would receive a CVSS score of 9.0 or higher.

Possible Impact

The successful exploitation of CVE-2025-34291 can have severe consequences, including:

  • Full System Compromise: Remote code execution allows attackers to execute arbitrary commands on the server, potentially leading to complete system takeover.
  • Data Breach: Attackers can access sensitive data stored within the Langflow application or on the underlying system.
  • Account Takeover: Attackers can gain control of user accounts, potentially accessing sensitive information or performing unauthorized actions.
  • Denial of Service: Attackers can disrupt the availability of the Langflow application.

Mitigation or Patch Steps

The primary mitigation is to update Langflow to a version that addresses this vulnerability. Until an official patch is released, consider the following workarounds, although they may impact functionality:

  • Restrict CORS Configuration: Change the `allow_origins` setting to a specific list of trusted domains instead of using `*`. Ensure that `allow_credentials` is set to `false` if possible.
  • `SameSite` Attribute for Refresh Token Cookie: Configure the refresh token cookie with `SameSite=Strict` or `SameSite=Lax` to prevent it from being sent in cross-site requests. Note that this might break some legitimate workflows relying on cross-site access.
  • Web Application Firewall (WAF): Implement a WAF to detect and block malicious requests targeting the Langflow application. Specifically, look for patterns indicative of cross-origin attacks and attempts to exploit the refresh token endpoint.

It is strongly recommended to monitor the official Langflow channels for updates and apply the official patch as soon as it becomes available.

References

Leave a Comment