id: CVE-2025-34291 info: name: Langflow AI <= 1.6.9 - CORS Misconfiguration author: 686f6c61 severity: critical description: | Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint. impact: | An attacker can steal authentication tokens via CORS and execute arbitrary code on the server. remediation: | Upgrade to Langflow version 1.7.0 or later which restricts CORS origins properly. reference: - https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform - https://nvd.nist.gov/vuln/detail/CVE-2025-34291 - https://github.com/langflow-ai/langflow classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H cvss-score: 9.4 cve-id: CVE-2025-34291 epss-score: 0.32746 epss-percentile: 0.96966 cwe-id: CWE-942 metadata: verified: true max-request: 2 vendor: langflow-ai product: langflow shodan-query: html:"Langflow" fofa-query: body="Langflow" tags: cve,cve2025,langflow,cors,misconfig,vuln,oss,vkev,kev flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: body words: - "Langflow" internal: true - raw: - | OPTIONS /api/v1/refresh HTTP/1.1 Host: {{Hostname}} Origin: https://scanme.sh Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type matchers-condition: and matchers: - type: word part: header words: - "Access-Control-Allow-Origin: https://scanme.sh" - "Access-Control-Allow-Credentials: true" condition: and - type: status part: header status: - 200 # digest: 4b0a0048304602210097df5a45579ac77f58963e0c2f9e3b9eb5b01fca3f84e382450d31b6f96e4e74022100edab8789af17fa74050e0dcd8d90fe28e6ba9c477eebd15b0873d8f7c8712a7d:922c64590222798bb761d5b6d8e72950