AI Threat Alert

CVE-2025-68477: langflow: SSRF allows internal network access

GHSA-5993-7p27-66g5 MEDIUM PoC AVAILABLE CISA: TRACK*
Published December 19, 2025
CISO Take

If your team runs Langflow in any cloud or internal environment, patch to 1.7.1 now—do not wait. An attacker with any valid API key can weaponize the API Request component to hit cloud metadata endpoints (AWS/GCP/Azure IMDS) and steal IAM credentials, turning a CVSS 6.5 into a full cloud account compromise. Treat this as critical in cloud-hosted deployments and restrict API key distribution immediately while patching.

What is the risk?

NVD rates this medium (CVSS 6.5), but environmental risk is substantially higher for cloud-hosted Langflow instances. The SSRF is non-blind—full response bodies are returned—and requires only a valid API key with low complexity and no user interaction. Cloud metadata endpoint access (169.254.169.254) is the critical escalation path: successful exploitation yields ephemeral IAM tokens with the instance's full cloud permissions. EPSS is low (0.00026) indicating no current active exploitation, but the attack is trivial to execute and the payoff is high, making this a near-term exploitation target as the framework's adoption grows.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow pip < 1.7.1 1.7.1
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
5.8%
chance of exploitation in 30 days
Higher than 92% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. PATCH immediately: Upgrade Langflow to >= 1.7.1.

  2. Network egress controls: Block outbound traffic from the Langflow server to 169.254.169.254 (cloud metadata), RFC-1918 ranges (10/8, 172.16/12, 192.168/16), and loopback interfaces at the host/container/firewall level.

  3. If patching is delayed: Disable the API Request component in Langflow's component settings or restrict which components users can add to flows.

  4. API key hygiene: Rotate all Langflow API keys. Assume any key accessible to external or untrusted parties is compromised—revoke and reissue.

  5. Cloud hardening: Enable IMDSv2 on all AWS EC2 instances running Langflow (requires session-oriented requests, blocking simple SSRF). Apply equivalent protections on GCP and Azure.

  6. Detection: Alert on outbound HTTP connections from the Langflow process to RFC-1918, 169.254.x.x, or localhost ranges. Monitor /api/v1/run endpoint calls for URL parameters containing private IP patterns.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Privacy Violation Framework Agent API AML.T0036 AML.T0037 AML.T0040 AML.T0049 AML.T0053 AML.T0055 AML.T0075 AML.T0085.001

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.5 - Information Security in AI System Design A.9.3 - AI System Vulnerability Management A.9.4 - AI System Security
NIST AI RMF
MANAGE 2.2 - Mechanisms to Respond to and Recover from AI Risks MEASURE 2.5 - AI System Security and Resilience Assessment
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-68477?

If your team runs Langflow in any cloud or internal environment, patch to 1.7.1 now—do not wait. An attacker with any valid API key can weaponize the API Request component to hit cloud metadata endpoints (AWS/GCP/Azure IMDS) and steal IAM credentials, turning a CVSS 6.5 into a full cloud account compromise. Treat this as critical in cloud-hosted deployments and restrict API key distribution immediately while patching.

Is CVE-2025-68477 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-68477, increasing the risk of exploitation.

How to fix CVE-2025-68477?

1. PATCH immediately: Upgrade Langflow to >= 1.7.1. 2. Network egress controls: Block outbound traffic from the Langflow server to 169.254.169.254 (cloud metadata), RFC-1918 ranges (10/8, 172.16/12, 192.168/16), and loopback interfaces at the host/container/firewall level. 3. If patching is delayed: Disable the API Request component in Langflow's component settings or restrict which components users can add to flows. 4. API key hygiene: Rotate all Langflow API keys. Assume any key accessible to external or untrusted parties is compromised—revoke and reissue. 5. Cloud hardening: Enable IMDSv2 on all AWS EC2 instances running Langflow (requires session-oriented requests, blocking simple SSRF). Apply equivalent protections on GCP and Azure. 6. Detection: Alert on outbound HTTP connections from the Langflow process to RFC-1918, 169.254.x.x, or localhost ranges. Monitor /api/v1/run endpoint calls for URL parameters containing private IP patterns.

What systems are affected by CVE-2025-68477?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, cloud-hosted AI workflows, multi-agent pipelines, agentic workflow automation.

What is the CVSS score for CVE-2025-68477?

CVE-2025-68477 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 5.76%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformscloud-hosted AI workflowsmulti-agent pipelinesagentic workflow automation

MITRE ATLAS Techniques

AML.T0036 Data from Information Repositories
AML.T0037 Data from Local System
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0055 Unsecured Credentials
AML.T0075 Cloud Service Discovery
AML.T0085.001 AI Agent Tools

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5, A.9.3, A.9.4
NIST AI RMF: MANAGE 2.2, MEASURE 2.5
OWASP LLM Top 10: LLM06, LLM07, LLM08

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue.

Exploitation Scenario

Attacker acquires a Langflow API key via a leaked .env file in a public GitHub repository or a compromised developer machine. They POST to /api/v1/run/{flow_id} with the API Request component URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted instance. The response reveals the attached IAM role name. A second request to http://169.254.169.254/latest/meta-data/iam/security-credentials/{role_name} returns AccessKeyId, SecretAccessKey, and SessionToken. The attacker now holds valid AWS credentials with the instance role's full permissions—potentially S3 read/write, RDS access, or admin-level IAM rights—with zero victim interaction and no forensic trace in Langflow's application logs beyond standard API call records.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
December 19, 2025
Last Modified
January 2, 2026
First Seen
December 19, 2025

Related Vulnerabilities

CRITICAL CVE-2026-10561 10.0

Langflow: auth bypass + unauthenticated RCE (CVSS 10)

Same package: langflow
CRITICAL CVE-2026-55255 9.9

Langflow: IDOR allows cross-user flow execution

Same package: langflow
CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
Back to Threat Feed