CVE-2025-57760: Langflow privilege escalation to full

Q: Is CVE-2025-57760 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-57760, increasing the risk of exploitation.

Q: How to fix CVE-2025-57760?

1) PATCH: Update to langflow 1.5.1 or langflow-base 0.5.1 — patches are available (PR #9152, commit c188ec1). 2) AUDIT: Immediately enumerate all superuser accounts; any account not explicitly provisioned by an admin is suspect. 3) ROTATE: Treat all API keys and credentials stored in Langflow as compromised until audited — rotate OpenAI, Anthropic, and any other stored keys. 4) RESTRICT: Langflow must not be internet-exposed; enforce VPN or network-level access controls. 5) MONITOR: Alert on 'langflow superuser' CLI invocations in container stdout/stderr logs. 6) HARDEN: Run Langflow containers with least-privilege OS permissions to limit blast radius of code execution.

Q: What systems are affected by CVE-2025-57760?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation.

Q: What is the CVSS score for CVE-2025-57760?

CVE-2025-57760 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.43%.

CISO Take

Any authenticated Langflow user with code execution access — trivially obtained via Langflow's built-in Python execution nodes — can self-promote to superuser with a single CLI command, gaining full platform control. Patch immediately to langflow 1.5.1 / langflow-base 0.5.1; this is a one-step escalation with no exploitation complexity. Until patched, restrict Langflow to internal networks, audit all superuser accounts for unauthorized entries, and rotate all stored API keys.

What is the risk?

High effective risk despite low EPSS (0.014%). CVSS 8.8 (Network/Low Complexity/Low Privileges) accurately reflects the trivial exploit path: Langflow's core design includes Python code execution nodes that grant every authenticated user a built-in RCE primitive, collapsing the privilege requirement to near-zero in practice. Internet-exposed Langflow instances — common in AI dev teams — are fully compromised by any registered user. No active exploitation detected yet, but weaponization requires minimal skill.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	<= 1.5.0	`1.5.1`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	<= 0.5.0	`0.5.1`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) PATCH: Update to langflow 1.5.1 or langflow-base 0.5.1 — patches are available (PR #9152, commit c188ec1). 2) AUDIT: Immediately enumerate all superuser accounts; any account not explicitly provisioned by an admin is suspect. 3) ROTATE: Treat all API keys and credentials stored in Langflow as compromised until audited — rotate OpenAI, Anthropic, and any other stored keys. 4) RESTRICT: Langflow must not be internet-exposed; enforce VPN or network-level access controls. 5) MONITOR: Alert on 'langflow superuser' CLI invocations in container stdout/stderr logs. 6) HARDEN: Run Langflow containers with least-privilege OS permissions to limit blast radius of code execution.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Framework Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-57760?

Any authenticated Langflow user with code execution access — trivially obtained via Langflow's built-in Python execution nodes — can self-promote to superuser with a single CLI command, gaining full platform control. Patch immediately to langflow 1.5.1 / langflow-base 0.5.1; this is a one-step escalation with no exploitation complexity. Until patched, restrict Langflow to internal networks, audit all superuser accounts for unauthorized entries, and rotate all stored API keys.

Is CVE-2025-57760 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-57760, increasing the risk of exploitation.

How to fix CVE-2025-57760?

1) PATCH: Update to langflow 1.5.1 or langflow-base 0.5.1 — patches are available (PR #9152, commit c188ec1). 2) AUDIT: Immediately enumerate all superuser accounts; any account not explicitly provisioned by an admin is suspect. 3) ROTATE: Treat all API keys and credentials stored in Langflow as compromised until audited — rotate OpenAI, Anthropic, and any other stored keys. 4) RESTRICT: Langflow must not be internet-exposed; enforce VPN or network-level access controls. 5) MONITOR: Alert on 'langflow superuser' CLI invocations in container stdout/stderr logs. 6) HARDEN: Run Langflow containers with least-privilege OS permissions to limit blast radius of code execution.

What systems are affected by CVE-2025-57760?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow automation.

What is the CVSS score for CVE-2025-57760?

CVE-2025-57760 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.43%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsAI workflow automation

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. A patched version has not been made public at this time.

Exploitation Scenario

Attacker registers a standard user account on an internet-exposed Langflow instance (or compromises an existing low-privilege account). They create a workflow with a Python code execution node containing: `import subprocess; subprocess.run(['langflow', 'superuser', '--username', 'backdoor', '--password', 'Attacker123!'])`. Running the flow executes the CLI command inside the container, creating a new superuser. The attacker authenticates as superuser, exports all stored LLM API keys, modifies production AI workflows to exfiltrate sensitive data processed by agents, and uses stored database credentials to pivot laterally — entire chain completable in under 5 minutes with no specialized AI/ML knowledge.

Weaknesses (CWE)

CWE-269 Improper Privilege Management Primary CWE-269 Improper Privilege Management

CWE-269 — Improper Privilege Management: The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system.

Source: MITRE CWE corpus.