Langflow account takeover RCE exploited (CVE-2025-34291) [PoC]
CVE-2025-34291
CVE-2025-34291: Langflow 1.6.9 and earlier exploited in the wild - CORS flaw enables account takeover, RCE. Critical (CVSS 9.4). Update to 1.7.0 immediately.
Actively exploited in the wild - CVE-2025-34291 is a critical chained vulnerability in Langflow up to and including 1.6.9 that grants attackers full account takeover and remote code execution via an overly permissive CORS configuration.
Overview
CVE-2025-34291 affects Langflow versions 1.6.9 and earlier. The vulnerability chains two configuration weaknesses: a permissive CORS policy (allow_origins='*' with allow_credentials=True) and a refresh token cookie set to SameSite=None. Together, these allow any attacker-controlled webpage to initiate authenticated cross-origin requests against the Langflow refresh endpoint. The malicious origin can then steal fresh access_token and refresh_token pairs for an active victim session.
Once the attacker possesses valid tokens, they can access any authenticated API endpoint in Langflow. Critically, Langflow includes built-in code execution functionality behind authentication. An attacker with stolen tokens can invoke these endpoints to execute arbitrary operating system commands, leading to full system compromise. The vulnerability does not require user interaction - simply visiting a malicious page while authenticated to Langflow is sufficient for token theft.
Impact
Successful exploitation results in complete account takeover and remote code execution with SYSTEM-level privileges. The CVSS score of 9.4 (Critical) reflects the NETWORK attack vector, LOW attack complexity, LOW privileges required, and NO user interaction needed. With an EPSS score of 9.5%, exploitation is highly probable within the next 30 days.
Affected Versions
- Langflow 1.6.9 and all earlier versions
Remediation and Mitigation
Immediate Action: Update to Langflow 1.7.0 or later, which hardens the CORS configuration and removes the cookie-based token exchange that enabled this attack chain. There is no workaround that fully mitigates the vulnerability without patching.
If immediate patching is not possible, restrict network access to Langflow instances to trusted IP ranges only, and disable the built-in code execution feature if your deployment allows it. Monitor access logs for unexpected cross-origin requests or token refresh activity.
Security Insight
This vulnerability illustrates a dangerous pattern where development convenience configurations - allow_origins='*' with credentials and SameSite=None cookies - create a textbook CSRF-to-token-theft chain. The combination is rarely necessary in production and should be treated as a security smell in code reviews. For threat intelligence on related vulnerabilities, visit breach reports; for broader cybersecurity analysis, see security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Am I Affected by CVE-2025-34291?
Pick an ecosystem, paste your installed version, and we'll compare it against the fixed version published on OSV.dev. Browser-only — nothing is sent to a server.
Heuristic comparison only. Always cross-check against the vendor advisory before making patching decisions.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| amnnrth/CVE-2025-34291_cors_security_scanner A lightweight Python-based security assessment tool for detecting dangerous Cross-Origin Resource Sharing (CORS) misconfigurations - CVE-2025-34291. | ★ 0 |
Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.
Nuclei Detection Templates
Detection template available — your exposure is being scanned
The templates below are YAML signatures for the Nuclei scanner from ProjectDiscovery. They are not exploit code — they are detection rules that confirm whether a target is vulnerable. The presence of a Nuclei template means every bug bounty hunter, AppSec team, red team, and reconnaissance pipeline on the public internet is actively probing for this CVE.
Assume your exposed instances have already been touched. Patch immediately even if no exploitation is observed yet — fingerprinting precedes exploitation by days at most.
| Template | Source |
|---|---|
CVE-2025-34291.yaml | View YAML |
1 Nuclei template indexed for this CVE. Source: projectdiscovery/nuclei-templates.
Related Advisories
Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the va...
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes...
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an ...
WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers ...