CVE-2025-68478

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.7.0

Description Langflow is a tool for building and deploying AI-powered agents and workflows. Before version 1.7.0, specifying an arbitrary path in the request body's fs path allows server-side file creation or overwriting at that specified path. There are no restrictions on the path, normalization, or allowed directories, meaning absolute paths, such as /etc/poc.txt, are interpreted as is. This could allow for arbitrary file manipulation.

Recommendations Update to version 1.7.0 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73CWE-610

Related Identifiers

CVE-2025-68478

GHSA-F43R-CC68-GPX4

PYSEC-2025-125

Affected Products

Langflow

CVE-2025-68478

Weakness Enumeration

Related Identifiers

Affected Products

References · 13