CVE-2025-34291
- Source
- https://cve.org/CVERecord?id=CVE-2025-34291
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34291.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-34291
- Aliases
- Published
- 2025-12-05T23:15:47.433Z
- Modified
- 2026-03-12T20:19:57.526687Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (alloworigins='*' with allowcredentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh accesstoken / refreshtoken pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
- References
Affected packages
Git / github.com/langflow-ai/langflow
Affected versions
1.*
1.1.2
1.1.3
1.1.4
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1
1.4.2
1.5.0.post1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
v0.*
v0.0.19
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.31
v0.0.32
v0.0.33
v0.0.40
v0.0.44
v0.0.45
v0.0.46
v0.0.52
v0.0.53
v0.0.54
v0.0.55
v0.0.56
v0.0.57
v0.0.58
v0.0.61
v0.0.62
v0.0.63
v0.0.64
v0.0.65
v0.0.66
v0.0.67
v0.0.68
v0.0.69
v0.0.70
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.0.75
v0.0.76
v0.0.77
v0.0.78
v0.0.79
v0.0.80
v0.0.81
v0.0.82
v0.0.83
v0.0.84
v0.0.85
v0.0.86
v0.0.87
v0.0.88
v0.0.89
v0.1.0
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.14
v0.4.15
v0.4.16
v0.4.17
v0.4.18
v0.4.19
v0.4.2
v0.4.20
v0.4.21
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.0a0
v0.5.0a1
v0.5.0a2
v0.5.0a3
v0.5.0a4
v0.5.0a5
v0.5.0a6
v0.5.0b0
v0.5.0b2
v0.5.0b3
v0.5.0b4
v0.5.0b5
v0.5.0b6
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.0a0
v0.6.0rc1
v0.6.1
v0.6.10
v0.6.11
v0.6.12
v0.6.13
v0.6.14
v0.6.15
v0.6.16
v0.6.17
v0.6.18
v0.6.19
v0.6.2
v0.6.3
v0.6.3a0
v0.6.3a1
v0.6.3a2
v0.6.3a3
v0.6.3a4
v0.6.3a5
v0.6.3a6
v0.6.3a7
v0.6.4
v0.6.4a0
v0.6.4a1
v0.6.5
v0.6.5a0
v0.6.5a1
v0.6.5a10
v0.6.5a11
v0.6.5a12
v0.6.5a13
v0.6.5a2
v0.6.5a3
v0.6.5a4
v0.6.5a5
v0.6.5a6
v0.6.5a7
v0.6.5a8
v0.6.5a9
v0.6.6
v0.6.7
v0.6.7a1
v0.6.7a2
v0.6.7a3
v0.6.7a5
v0.6.8
v0.6.9
v1.*
v1.0.0
v1.0.0a11
v1.0.0a12
v1.0.0a13
v1.0.0a14
v1.0.0a15
v1.0.0a17
v1.0.0a18
v1.0.0a19
v1.0.0a20
v1.0.0a21
v1.0.0a22
v1.0.0a23
v1.0.0a24
v1.0.0a26
v1.0.0a27
v1.0.0a28
v1.0.0a29
v1.0.0a30
v1.0.0a31
v1.0.0a32
v1.0.0a33
v1.0.0a34
v1.0.0a35
v1.0.0a36
v1.0.0a37
v1.0.0a38
v1.0.0a4
v1.0.0a40
v1.0.0a41
v1.0.0a42
v1.0.0a43
v1.0.0a44
v1.0.0a45
v1.0.0a46
v1.0.0a47
v1.0.0a48
v1.0.0a49
v1.0.0a5
v1.0.0a50
v1.0.0a51
v1.0.0a52
v1.0.0a53
v1.0.0a55
v1.0.0a56
v1.0.0a57
v1.0.0a58
v1.0.0a59
v1.0.0a6
v1.0.0a60
v1.0.0a7
v1.0.0a8
v1.0.0rc0
v1.0.0rc1
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.6.8