CVE-2025-34291
Published: 05 December 2025
Summary
CVE-2025-34291 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Langflow Langflow. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
Langflow versions up to and including 1.6.9 contain a chained vulnerability stemming from an overly permissive CORS policy that sets allow_origins to wildcard while also enabling allow_credentials, paired with a refresh token cookie configured as SameSite=None. This combination is tracked under CWE-346 and carries a CVSS 4.0 score of 9.4.
An attacker who can lure a victim to a malicious webpage can issue cross-origin requests that include credentials, invoke the refresh endpoint, and obtain fresh access and refresh token pairs. With those tokens the attacker gains access to authenticated endpoints, including Langflow’s built-in code-execution functionality, resulting in arbitrary code execution and full system compromise.
The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog and has been analyzed in public reports from Obsidian Security and VulnCheck. Its EPSS score has remained elevated, reaching a peak of 0.3538 and currently sitting at 0.3275, indicating sustained exploitation interest since disclosure. Langflow is an AI-agent workflow platform, making the remote-code-execution path particularly concerning for organizations running unpatched instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-201507
Vulnerability details
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage…
more
to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
- CWE(s)
- KEV Date Added
- 21 May 2026
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) via phishing-delivered malicious webpage (T1566.002) to steal application access/refresh tokens (T1528), leading to account takeover and RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires establishment of secure configuration settings for web applications, directly mitigating the permissive CORS (allow_origins='*') and unsafe SameSite=None cookie configurations exploited in this CVE.
Mandates timely flaw remediation including patching Langflow to versions beyond 1.6.9, eliminating the chained vulnerability enabling token theft and RCE.
Enforces boundary protections such as web application firewalls or proxies to monitor and restrict unauthorized cross-origin credentialed requests to the refresh endpoint.