CVE-2025-57760 — HIGH (CVSS 8.8) AI Security Vulnerability

Q: Is CVE-2025-57760 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-57760, increasing the risk of exploitation.

Q: How to fix CVE-2025-57760?

1) PATCH: Update to langflow 1.5.1 or langflow-base 0.5.1 — patches are available (PR #9152, commit c188ec1). 2) AUDIT: Immediately enumerate all superuser accounts; any account not explicitly provisioned by an admin is suspect. 3) ROTATE: Treat all API keys and credentials stored in Langflow as compromised until audited — rotate OpenAI, Anthropic, and any other stored keys. 4) RESTRICT: Langflow must not be internet-exposed; enforce VPN or network-level access controls. 5) MONITOR: Alert on 'langflow superuser' CLI invocations in container stdout/stderr logs. 6) HARDEN: Run Langflow containers with least-privilege OS permissions to limit blast radius of code execution.

Q: What systems are affected by CVE-2025-57760?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation.

Q: What is the CVSS score for CVE-2025-57760?

CVE-2025-57760 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.01%.

CISO Take

Any authenticated Langflow user with code execution access — trivially obtained via Langflow's built-in Python execution nodes — can self-promote to superuser with a single CLI command, gaining full platform control. Patch immediately to langflow 1.5.1 / langflow-base 0.5.1; this is a one-step escalation with no exploitation complexity. Until patched, restrict Langflow to internal networks, audit all superuser accounts for unauthorized entries, and rotate all stored API keys.

Risk Assessment

High effective risk despite low EPSS (0.014%). CVSS 8.8 (Network/Low Complexity/Low Privileges) accurately reflects the trivial exploit path: Langflow's core design includes Python code execution nodes that grant every authenticated user a built-in RCE primitive, collapsing the privilege requirement to near-zero in practice. Internet-exposed Langflow instances — common in AI dev teams — are fully compromised by any registered user. No active exploitation detected yet, but weaponization requires minimal skill.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow	pip	<= 1.5.0	`1.5.1`
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow-base	pip	<= 0.5.0	`0.5.1`
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) PATCH: Update to langflow 1.5.1 or langflow-base 0.5.1 — patches are available (PR #9152, commit c188ec1). 2) AUDIT: Immediately enumerate all superuser accounts; any account not explicitly provisioned by an admin is suspect. 3) ROTATE: Treat all API keys and credentials stored in Langflow as compromised until audited — rotate OpenAI, Anthropic, and any other stored keys. 4) RESTRICT: Langflow must not be internet-exposed; enforce VPN or network-level access controls. 5) MONITOR: Alert on 'langflow superuser' CLI invocations in container stdout/stderr logs. 6) HARDEN: Run Langflow containers with least-privilege OS permissions to limit blast radius of code execution.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Framework Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-57760?

Any authenticated Langflow user with code execution access — trivially obtained via Langflow's built-in Python execution nodes — can self-promote to superuser with a single CLI command, gaining full platform control. Patch immediately to langflow 1.5.1 / langflow-base 0.5.1; this is a one-step escalation with no exploitation complexity. Until patched, restrict Langflow to internal networks, audit all superuser accounts for unauthorized entries, and rotate all stored API keys.

Is CVE-2025-57760 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-57760, increasing the risk of exploitation.

How to fix CVE-2025-57760?

1) PATCH: Update to langflow 1.5.1 or langflow-base 0.5.1 — patches are available (PR #9152, commit c188ec1). 2) AUDIT: Immediately enumerate all superuser accounts; any account not explicitly provisioned by an admin is suspect. 3) ROTATE: Treat all API keys and credentials stored in Langflow as compromised until audited — rotate OpenAI, Anthropic, and any other stored keys. 4) RESTRICT: Langflow must not be internet-exposed; enforce VPN or network-level access controls. 5) MONITOR: Alert on 'langflow superuser' CLI invocations in container stdout/stderr logs. 6) HARDEN: Run Langflow containers with least-privilege OS permissions to limit blast radius of code execution.

What systems are affected by CVE-2025-57760?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation.

What is the CVSS score for CVE-2025-57760?

CVE-2025-57760 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. A patched version has not been made public at this time.

Exploitation Scenario

Attacker registers a standard user account on an internet-exposed Langflow instance (or compromises an existing low-privilege account). They create a workflow with a Python code execution node containing: `import subprocess; subprocess.run(['langflow', 'superuser', '--username', 'backdoor', '--password', 'Attacker123!'])`. Running the flow executes the CLI command inside the container, creating a new superuser. The attacker authenticates as superuser, exports all stored LLM API keys, modifies production AI workflows to exfiltrate sensitive data processed by agents, and uses stored database credentials to pivot laterally — entire chain completable in under 5 minutes with no specialized AI/ML knowledge.