支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款
一、 漏洞 CVE-2025-34291 基础信息
漏洞信息
                                        # Langflow <=1.6.9 CORS漏洞引发令牌劫持和RCE

## 概述

Langflow ≤ 1.6.9 存在由多个漏洞组成的链式漏洞,可导致账户接管和远程代码执行(RCE)。

## 影响版本

- Langflow 版本 1.6.9 及其以下版本

## 漏洞细节

1. **CORS 配置过于宽松**:
   - 设置中使用了 `allow_origins='*'` 且同时启用了 `allow_credentials=True`,允许来自任意源的请求携带凭证。

2. **Cookie 配置不安全**:
   - Refresh token cookie 被设置为 `SameSite=None`,但未明确限制允许的源,导致容易受到跨站请求伪造(CSRF)攻击。

3. **攻击流程**:
   - 攻击者可通过构建恶意网页,诱导用户在已登录状态下访问。
   - 利用跨源请求访问 `/refresh` 端点,成功获取新的 `access_token` 和 `refresh_token`。
   - 攻击者可借此获取用户的会话凭据,实现账户接管。

4. **高危利用**:
   - 利用获取的 token 可访问所有需认证的 API 接口。
   - 其中部分功能支持内置代码执行操作,攻击者可利用此上传和执行任意代码,最终导致系统被完全控制。

## 影响

攻击者可以:
- 接管用户账户。
- 执行任意代码(Remote Code Execution)。
- 完全控制受影响的系统。
神龙判断

是否为 Web 类漏洞: 未知

判断理由:

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
源验证错误
来源:美国国家漏洞数据库 NVD
漏洞标题
Langflow 访问控制错误漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Langflow是Langflow开源的一个用于构建多代理和 RAG 应用程序的可视化框架。 Langflow 1.6.9及之前版本存在访问控制错误漏洞,该漏洞源于过度宽松的CORS配置和SameSite设置不当,可能导致账户接管和远程代码执行。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
授权问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-34291 的公开POC
#POC 描述源链接神龙链接
1Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34291.yamlPOC详情
2Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%BA%E5%B7%A5%E6%99%BA%E8%83%BD%E6%BC%8F%E6%B4%9E/Langflow%20%E2%89%A4%201.6.9%20CORS%20%E9%85%8D%E7%BD%AE%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E4%BB%A4%E7%89%8C%E5%8A%AB%E6%8C%81%E5%92%8C%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2025-34291.mdPOC详情
三、漏洞 CVE-2025-34291 的情报信息

  • 标题: GitHub - langflow-ai/langflow: Langflow is a powerful tool for building and deploying AI-powered agents and workflows. -- 🔗来源链接

    标签:product

    神龙速读:
                                            从这张GitHub项目页面的截图中,可以获取到以下关于漏洞的关键信息:

- **已知安全问题**:  
  Langflow项目列出了特定版本的安全警告和CVE,如CVE-2025-3248和CVE-2025-57760,以保护用户在安全性问题纠正前升级到安全版本。

- **版本安全更新**:  
  不同版本之间存在安全性修复,如在1.6.4版本中,修复了导致安全漏洞的bug。

- **配置文件读取风险**:  
  特定版本下,`.env`文件的处理不当可能引发安全问题,项目建议升级到高版本以解决此问题。

这些安全相关细节可帮助用户明白编程和系统中可能出现的威胁,并指导他们如何通过版本选择规避相关风险。
    GitHub - langflow-ai/langflow: Langflow is a powerful tool for building and deploying AI-powered agents and workflows.

  • 标题: Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE | Advisories | VulnCheck -- 🔗来源链接

    标签:third-party-advisory

    神龙速读:
                                            ### 漏洞关键信息

- **标题**: Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE
- **严重性**: Critical
- **日期**: December 5, 2025

#### 脆弱性描述
Langflow 版本 1.6.9 及以下版本包含一个连锁漏洞,允许账户接管和远程代码执行。过于宽松的 CORS 配置(allow_origins='*' 且 allow_credentials=True)结合刷新令牌 cookie 配置为 SameSite=None,允许恶意网页执行包含凭据的跨源请求并成功调用刷新端点。攻击者控制的来源因此可以为受害者的会话获取新鲜的访问令牌/刷新令牌对。获得的令牌允许访问经过身份验证的端点——包括内置的代码执行功能——允许攻击者执行任意代码并实现对系统的完全控制。

#### 影响版本
- Langflow <= 1.6.9

#### 参考
- [Obsidian Security Blog](链接)
- [Langflow GitHub Repo](链接)

#### 信用
- Fenix Qiao (aka 13ph03nix) from Obsidian Security
- Shuyang Wang from Obsidian Security
    Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE | Advisories | VulnCheck

  • 标题: CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent & Workflow Platform -- 🔗来源链接

    标签:technical-descriptionexploit

    神龙速读:
                                            ### CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent & Workflow Platform

#### Executive Summary

- **Vulnerability Chain in Langflow**: A critical vulnerability chain in Langflow, enabling an attacker to achieve complete account takeover and Remote Code Execution (RCE) by having a user visit a malicious webpage.
- **Exploit Chain**:
  - **Overly Permissive CORS**: Allows cross-origin requests with credentials from any source.
  - **Lack of CSRF Protection**: Token refresh endpoint lacks necessary CSRF defenses.
  - **Code Validation Endpoint**: Design vulnerability allows code execution.

#### Impact

- **Severe**: Successful exploitation compromises the Langflow instance, exposes all sensitive access tokens and API keys, and triggers a cascading compromise across integrated downstream services.

#### Deep Dive into Langflow

- **CVE-2025-3248**: A critical, unauthenticated RCE affecting versions prior to 1.3.0. Exploitation possible due to a two-year journey of architectural trade-offs.

#### The Vulnerability: A Quick Refresher

- **Unauthenticated Code Validation Endpoint**: Accessible without authentication, allowing attackers to execute Python code for custom components.

#### From Open to Protected

- **Authentication Added**: To the `/api/v1/validate/code` endpoint, triggered automatically by FastAPI's dependency injection.

#### From Protected to Compromised: CVE-2025-34291

- **Bypass Authentication**: Exploiting CORS misconfiguration and a refresh_token_lf cookie misconfiguration.

#### Steps to Reproduce

- **Environment Setup**: Using Docker Compose with HTTPS enabled.
- **Proof of Concept**: Steps include sending a cross-origin POST request, extracting tokens, and triggering RCE.

#### Mitigations & Fixes

- **Version 1.6.0**: New environment variables for CORS configuration.
- **Version 1.7**: More secure defaults for CORS and refresh_token_lf cookie.

#### Impact

- **Full Session Hijack and RCE**: Through a single malicious webpage visit, compromising the entire system and exposing sensitive data.

#### Security Lesson

- **Cookie/CORS Settings**: Highlight the importance of proper configuration and implications on front-end/back-end split deployments.

#### Vulnerability Disclosure Timeline

- **July 29, 2025**: Vulnerability submitted via GitHub security issue.
- **September 7, 2025**: Requested an update on GitHub security issue.
- **October 3, 2025**: CVE-2025-34291 assigned.
- **December 5, 2025**: Research published.
    CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent & Workflow Platform
  • https://nvd.nist.gov/vuln/detail/CVE-2025-34291
四、漏洞 CVE-2025-34291 的评论

暂无评论

发表评论