CVE-2025-34291: Langflow Origin Validation Error Vulnerability
Summary
A critical vulnerability, CVE-2025-34291, has been identified in Langflow due to an overly permissive CORS configuration and a SameSite=None refresh token cookie. This flaw allows malicious webpages to perform cross-origin requests with credentials, potentially leading to arbitrary code execution and full system compromise.
IFF Assessment
This vulnerability allows attackers to gain full system compromise, posing a significant threat to defenders.
Severity
The vulnerability allows for arbitrary code execution and full system compromise through authenticated endpoints via obtained tokens, indicating a high impact and exploitability.
CISA KEV: Listed as actively exploited. Federal patch due: June 04, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability in Langflow, an open-source tool for building LLM applications, highlights the security risks associated with improperly configured CORS and cookie policies in web applications. Defenders should be vigilant about patching and applying mitigations for such vulnerabilities, especially in cloud environments, and follow directives like CISA BOD 22-01.