CVE-2025-34291 Overview
CVE-2025-34291 is a critical chained vulnerability affecting Langflow, a popular AI agent workflow platform, that enables both account takeover and remote code execution. The vulnerability stems from an overly permissive CORS configuration combined with insecure cookie settings, allowing attackers to hijack user sessions and execute arbitrary code on vulnerable systems.
The attack chain exploits two misconfigurations: a CORS policy set with allow_origins='*' alongside allow_credentials=True, and a refresh token cookie configured as SameSite=None. This combination permits malicious webpages to perform cross-origin requests that include credentials, enabling attackers to call the refresh endpoint and obtain fresh access_token / refresh_token pairs for victim sessions.
Critical Impact
Attackers can achieve full system compromise by hijacking authenticated sessions and leveraging Langflow's built-in code execution functionality to run arbitrary commands.
Affected Products
- Langflow versions up to and including 1.6.9
Discovery Timeline
- 2025-12-05 - CVE-2025-34291 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-34291
Vulnerability Analysis
This vulnerability represents a chained exploitation path combining Origin Validation Error (CWE-346) with insecure session management. The root issue lies in the application's failure to properly restrict cross-origin requests while simultaneously allowing credentials to be sent with those requests.
When a user with an active Langflow session visits a malicious webpage, the attacker-controlled site can make authenticated requests to the Langflow API. Because the CORS policy accepts all origins (*) and the SameSite=None cookie attribute permits cross-site cookie transmission, the victim's refresh token cookie is automatically included in these requests.
The attacker can then call the /api/v1/refresh endpoint to obtain new access and refresh tokens, effectively hijacking the victim's session. With valid authentication tokens in hand, the attacker gains access to all authenticated endpoints, including Langflow's code execution capabilities that are integral to its AI workflow functionality.
Root Cause
The vulnerability originates from two interconnected misconfigurations in Langflow's authentication and CORS handling:
Overly Permissive CORS Policy: The application sets allow_origins='*' (wildcard) while simultaneously enabling allow_credentials=True. This configuration violates security best practices, as the CORS specification explicitly warns against combining wildcard origins with credential sharing.
Insecure Cookie Configuration: The refresh token cookie is set with SameSite=None, which instructs browsers to send the cookie with all cross-site requests. Without a restrictive CORS policy, this creates a pathway for credential theft.
Attack Vector
The attack requires user interaction in the form of visiting a malicious webpage while authenticated to a vulnerable Langflow instance. The exploitation flow proceeds as follows:
- The attacker hosts a webpage containing JavaScript designed to interact with the target Langflow instance
- A victim with an active Langflow session visits the malicious page
- The attacker's JavaScript makes a cross-origin request to the Langflow refresh endpoint
- Due to the misconfigured CORS and cookie settings, the request includes the victim's refresh token
- The attacker receives fresh access and refresh tokens in the response
- Using the stolen tokens, the attacker accesses authenticated endpoints and leverages built-in code execution functionality to compromise the system
The attack exploits network-accessible endpoints and requires no special privileges, though it does depend on victim interaction with the attacker's malicious webpage.
Detection Methods for CVE-2025-34291
Indicators of Compromise
- Unexpected or anomalous refresh token requests originating from external IP addresses or unusual geographic locations
- Access token usage patterns showing requests from multiple distinct IP addresses within short timeframes
- Authentication logs showing token refresh activity followed by code execution endpoint access from different network sources
- Suspicious workflow executions or code execution requests initiated through the Langflow API
Detection Strategies
- Monitor CORS-related headers in web server logs for requests with unusual Origin headers targeting authentication endpoints
- Implement anomaly detection for refresh token endpoint usage, particularly looking for tokens being refreshed from new IP addresses
- Audit code execution and workflow trigger events for unauthorized or unexpected activity
- Review authentication logs for session activity patterns indicative of token theft
Monitoring Recommendations
- Enable detailed logging for all authentication-related endpoints, including /api/v1/refresh
- Configure alerting for code execution operations, especially those that do not correlate with expected user activity
- Implement session binding to track IP address consistency throughout a session lifecycle
- Monitor for elevated API call rates from individual sessions that may indicate automated exploitation
How to Mitigate CVE-2025-34291
Immediate Actions Required
- Upgrade Langflow to a version newer than 1.6.9 that addresses the CORS and cookie configuration issues
- Review active sessions and invalidate any that show suspicious activity patterns
- Audit recent code execution logs for signs of unauthorized access or malicious activity
- Consider temporarily restricting network access to Langflow instances until patches can be applied
Patch Information
Organizations running Langflow versions 1.6.9 or earlier should upgrade to the latest available version immediately. Consult the Langflow GitHub repository for the latest release information and upgrade instructions. The Obsidian Security advisory provides additional technical context regarding the vulnerability.
Workarounds
- Configure a reverse proxy or web application firewall to enforce strict CORS policies that only allow trusted origins
- Implement network-level access controls to restrict which IP addresses can reach the Langflow instance
- Disable or restrict access to code execution functionality for non-essential users until patching is complete
- Consider deploying Langflow behind a VPN or zero-trust network access solution to limit exposure
# Example nginx configuration to restrict CORS origins
# Place in nginx server block configuration
location /api/ {
# Only allow specific trusted origins
set $cors_origin "";
if ($http_origin ~* "^https://(app\.yourdomain\.com|trusted\.example\.com)$") {
set $cors_origin $http_origin;
}
add_header 'Access-Control-Allow-Origin' $cors_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type' always;
proxy_pass http://langflow_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
