CVE-2025-68478 Overview
CVE-2025-68478 is an arbitrary file write vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. Versions prior to 1.7.0 accept a user-controlled fs_path parameter in the request body without path validation or directory enforcement. The server serializes Flow objects into JSON and writes them to the supplied path, including absolute paths such as /etc/poc.txt. An authenticated attacker can create or overwrite files anywhere the Langflow process has write access. The maintainers fixed the issue in version 1.7.0. The flaw is tracked under [CWE-73] (External Control of File Name or Path) and [CWE-610] (Externally Controlled Reference to a Resource in Another Sphere).
Critical Impact
Authenticated attackers can write or overwrite arbitrary files on the Langflow host, enabling integrity compromise, configuration tampering, and potential code execution through overwritten scripts or service files.
Affected Products
- Langflow versions prior to 1.7.0
- Self-hosted Langflow deployments exposing the Flow save API
- Containerized Langflow instances where the process user has write access to sensitive paths
Discovery Timeline
- 2025-12-19 - CVE-2025-68478 published to NVD
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-68478
Vulnerability Analysis
Langflow exposes an API endpoint that serializes a Flow object to JSON and persists it to disk. The destination is supplied by the client through the fs_path field in the request body. The server passes this value directly to file write operations without normalization, canonicalization, or allowlist checks. As a result, any path the operating system accepts, including absolute paths and traversal sequences, is honored.
The vulnerability is exploitable over the network and requires only low-privileged authentication. Confidentiality is not directly affected, but integrity is high because the attacker controls the destination file. Availability is partially affected when overwriting files that the Langflow service or operating system depends on.
Root Cause
The root cause is missing input validation on a file path parameter. The Flow save handler trusts the client-supplied fs_path value and does not enforce a base directory, reject absolute paths, or strip traversal segments such as ../. This pattern aligns with [CWE-73], where external input directly controls a filesystem resource identifier.
Attack Vector
An authenticated user sends a request to the Flow save endpoint with fs_path set to an attacker-chosen location. The server serializes the Flow to JSON and writes the file at that exact path, replacing any existing content. Attackers can overwrite cron job definitions, shell startup files, Python site-packages, or web server configuration to achieve persistence or code execution. The blast radius depends on the privileges of the Langflow process; deployments running as root or inside privileged containers face the largest exposure. See the GitHub Security Advisory GHSA-f43r-cc68-gpx4 for vendor details.
Detection Methods for CVE-2025-68478
Indicators of Compromise
- Langflow API requests containing fs_path values with absolute paths or ../ traversal sequences
- Unexpected JSON files appearing outside the Langflow data directory, particularly in /etc, /var, user home directories, or Python package paths
- Modification timestamps on system or service files that correlate with Langflow API activity
Detection Strategies
- Inspect Langflow access logs and reverse proxy logs for POST or PUT requests carrying fs_path parameters and flag any value that is not contained within the approved Flow storage directory
- Deploy filesystem integrity monitoring on hosts running Langflow to alert on writes to sensitive directories by the Langflow service account
- Correlate authentication events with file creation events to identify which Langflow user account produced anomalous writes
Monitoring Recommendations
- Enable verbose request logging on the Langflow API and forward logs to a centralized analytics platform for retention and search
- Alert on Langflow process writes to paths outside an explicit allowlist using audit subsystem rules such as Linux auditd
- Track the deployed Langflow version across hosts and generate alerts for any instance below 1.7.0
How to Mitigate CVE-2025-68478
Immediate Actions Required
- Upgrade Langflow to version 1.7.0 or later on all self-hosted and containerized deployments
- Restrict network access to the Langflow API so only trusted users and networks can reach the Flow save endpoint
- Review Langflow user accounts and remove or rotate credentials that are no longer required
- Audit the filesystem of each Langflow host for unexpected JSON files created since the service was deployed
Patch Information
Langflow version 1.7.0 fixes the issue by enforcing path restrictions on the fs_path parameter. Refer to the GitHub Security Advisory GHSA-f43r-cc68-gpx4 for the official remediation guidance.
Workarounds
- Run Langflow as a dedicated unprivileged user with write access limited to the Flow storage directory only
- Deploy Langflow inside a container with a read-only root filesystem and a single writable volume mounted at the Flow storage path
- Front the Langflow API with a reverse proxy that rejects requests where fs_path contains absolute paths or ../ sequences until the upgrade is applied
# Example: upgrade Langflow via pip
pip install --upgrade "langflow>=1.7.0"
# Verify the installed version
python -c "import langflow; print(langflow.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

