216.73.216.233

CVE-2025-34291

· Published 06/12/2025 00:15 · Modified 23/05/2026 16:54 · Author: The MITRE Corporation

Labels: CVE-2025-34291 2025-12-05CVE-2025-34291CWE-346[email protected]

Essential information

Published
06/12/2025 00:15
Modified
23/05/2026 16:54
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
8.8 HIGH (v3.1) 9.4 CRITICAL (v4.0)
CISA KEV
Yes
CWE
CWE-346
EPSS (First)
P84.8% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.02458)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

References

Related entities

Attack reports, intrusion sets, malwares, attack patterns and indicators linked to this vulnerability.

Attack reports (1)