CVE-2025-34291

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.7.0

Description A chained issue enables account takeover and remote code execution. An overly permissive Cross-Origin Resource Sharing (CORS) configuration, where allow origins is set to '*' and allow credentials is set to True, combined with a refresh token cookie configured as SameSite=None, allows a malicious webpage to perform cross-origin requests that include credentials to call the refresh endpoint. This allows an attacker-controlled origin to obtain fresh access token and refresh token pairs for a victim session. These tokens provide access to authenticated endpoints, including built-in code-execution functionality, leading to arbitrary code execution and full system compromise. This issue has been actively exploited in the wild.

Recommendations Update to a version later than 1.6.9 to resolve the issue.