CVE-2025-34291
Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE
In short
Langflow versions up to 1.6.9 allow attackers on malicious websites to steal login tokens from victims and execute arbitrary code on the server. This happens because the application accepts requests from any website and allows theft of authentication cookies.
Technical detail
CORS misconfiguration (allow_origins='*' with allow_credentials=True) combined with SameSite=None refresh token cookies enables cross-origin token theft via browser-based requests. Attackers exploit the refresh endpoint to obtain valid access_token/refresh_token pairs for victim sessions, subsequently leveraging authenticated code-execution endpoints to achieve RCE. No user interaction required beyond victim visiting attacker-controlled origin while authenticated.
Summary generated and translated by AI from the official description.
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.