CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent & Workflow Platform Executive Summary Vulnerability Chain in Langflow: A critical vulnerability chain in Langflow, enabling an attacker to achieve complete account takeover and Remote Code Execution (RCE) by having a user visit a malicious webpage. Exploit Chain: - Overly Permissive CORS: Allows cross-origin requests with credentials from any source. - Lack of CSRF Protection: Token refresh endpoint lacks necessary CSRF defenses. - Code Validation Endpoint: Design vulnerability allows code execution. Impact Severe: Successful exploitation compromises the Langflow instance, exposes all sensitive access tokens and API keys, and triggers a cascading compromise across integrated downstream services. Deep Dive into Langflow CVE-2025-3248: A critical, unauthenticated RCE affecting versions prior to 1.3.0. Exploitation possible due to a two-year journey of architectural trade-offs. The Vulnerability: A Quick Refresher Unauthenticated Code Validation Endpoint: Accessible without authentication, allowing attackers to execute Python code for custom components. From Open to Protected Authentication Added: To the endpoint, triggered automatically by FastAPI's dependency injection. From Protected to Compromised: CVE-2025-34291 Bypass Authentication: Exploiting CORS misconfiguration and a refresh_token_lf cookie misconfiguration. Steps to Reproduce Environment Setup: Using Docker Compose with HTTPS enabled. Proof of Concept: Steps include sending a cross-origin POST request, extracting tokens, and triggering RCE. Mitigations & Fixes Version 1.6.0: New environment variables for CORS configuration. Version 1.7: More secure defaults for CORS and refresh_token_lf cookie. Impact Full Session Hijack and RCE: Through a single malicious webpage visit, compromising the entire system and exposing sensitive data. Security Lesson Cookie/CORS Settings: Highlight the importance of proper configuration and implications on front-end/back-end split deployments. Vulnerability Disclosure Timeline July 29, 2025: Vulnerability submitted via GitHub security issue. September 7, 2025: Requested an update on GitHub security issue. October 3, 2025: CVE-2025-34291 assigned. December 5, 2025: Research published.