CVE-2025-34291

CVE-2025-34291 is a chained vulnerability in Langflow versions up to and including 1.6.9 that enables account takeover and remote code execution. It stems from an overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) paired with a refresh token cookie set as SameSite=None. This combination allows cross-origin requests with credentials from malicious webpages to successfully invoke the refresh endpoint, enabling attackers to steal fresh access and refresh tokens from victim sessions. The vulnerability is rated at CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and is associated with CWE-346.

The attack requires a victim to visit a malicious webpage controlled by the attacker, which can be delivered via phishing or social engineering. Once loaded, the page performs cross-origin requests including the victim's credentials to the Langflow refresh endpoint, obtaining valid access_token and refresh_token pairs. With these tokens, the attacker gains access to authenticated endpoints, including built-in code-execution functionality, allowing arbitrary code execution and full system compromise. Exploitation requires low privileges (PR:L) as it leverages an existing authenticated user session.

Advisories from Obsidian Security, VulnCheck, and the Langflow GitHub repository detail the issue and recommend mitigation. Security practitioners should consult these sources for patch information, as Langflow versions beyond 1.6.9 address the CORS and cookie misconfigurations.

Langflow is an AI agent workflow platform, making this vulnerability particularly relevant for deployments involving AI/ML workflows where code execution endpoints could expose sensitive models or data. No public evidence of real-world exploitation is noted in available details.