CVE-2025-68477 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

If your team runs Langflow in any cloud or internal environment, patch to 1.7.1 now—do not wait. An attacker with any valid API key can weaponize the API Request component to hit cloud metadata endpoints (AWS/GCP/Azure IMDS) and steal IAM credentials, turning a CVSS 6.5 into a full cloud account compromise. Treat this as critical in cloud-hosted deployments and restrict API key distribution immediately while patching.

Risk Assessment

NVD rates this medium (CVSS 6.5), but environmental risk is substantially higher for cloud-hosted Langflow instances. The SSRF is non-blind—full response bodies are returned—and requires only a valid API key with low complexity and no user interaction. Cloud metadata endpoint access (169.254.169.254) is the critical escalation path: successful exploitation yields ephemeral IAM tokens with the instance's full cloud permissions. EPSS is low (0.00026) indicating no current active exploitation, but the attack is trivial to execute and the payoff is high, making this a near-term exploitation target as the framework's adoption grows.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.9K Pushed today 32% patched ~53d to patch Full package profile →
langflow	pip	< 1.7.1	`1.7.1`
147.9K Pushed today 32% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

PATCH immediately: Upgrade Langflow to >= 1.7.1.
Network egress controls: Block outbound traffic from the Langflow server to 169.254.169.254 (cloud metadata), RFC-1918 ranges (10/8, 172.16/12, 192.168/16), and loopback interfaces at the host/container/firewall level.
If patching is delayed: Disable the API Request component in Langflow's component settings or restrict which components users can add to flows.
API key hygiene: Rotate all Langflow API keys. Assume any key accessible to external or untrusted parties is compromised—revoke and reissue.
Cloud hardening: Enable IMDSv2 on all AWS EC2 instances running Langflow (requires session-oriented requests, blocking simple SSRF). Apply equivalent protections on GCP and Azure.
Detection: Alert on outbound HTTP connections from the Langflow process to RFC-1918, 169.254.x.x, or localhost ranges. Monitor /api/v1/run endpoint calls for URL parameters containing private IP patterns.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Privacy Violation Framework Agent API AML.T0036 - Data from Information Repositories AML.T0037 - Data from Local System AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery AML.T0085.001 - AI Agent Tools

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - Information Security in AI System Design A.9.3 - AI System Vulnerability Management A.9.4 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to Respond to and Recover from AI Risks MEASURE 2.5 - AI System Security and Resilience Assessment

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-68477?

If your team runs Langflow in any cloud or internal environment, patch to 1.7.1 now—do not wait. An attacker with any valid API key can weaponize the API Request component to hit cloud metadata endpoints (AWS/GCP/Azure IMDS) and steal IAM credentials, turning a CVSS 6.5 into a full cloud account compromise. Treat this as critical in cloud-hosted deployments and restrict API key distribution immediately while patching.

Is CVE-2025-68477 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-68477, increasing the risk of exploitation.

How to fix CVE-2025-68477?

1. PATCH immediately: Upgrade Langflow to >= 1.7.1. 2. Network egress controls: Block outbound traffic from the Langflow server to 169.254.169.254 (cloud metadata), RFC-1918 ranges (10/8, 172.16/12, 192.168/16), and loopback interfaces at the host/container/firewall level. 3. If patching is delayed: Disable the API Request component in Langflow's component settings or restrict which components users can add to flows. 4. API key hygiene: Rotate all Langflow API keys. Assume any key accessible to external or untrusted parties is compromised—revoke and reissue. 5. Cloud hardening: Enable IMDSv2 on all AWS EC2 instances running Langflow (requires session-oriented requests, blocking simple SSRF). Apply equivalent protections on GCP and Azure. 6. Detection: Alert on outbound HTTP connections from the Langflow process to RFC-1918, 169.254.x.x, or localhost ranges. Monitor /api/v1/run endpoint calls for URL parameters containing private IP patterns.

What systems are affected by CVE-2025-68477?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, cloud-hosted AI workflows, multi-agent pipelines, agentic workflow automation.

What is the CVSS score for CVE-2025-68477?

CVE-2025-68477 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue.

Exploitation Scenario

Attacker acquires a Langflow API key via a leaked .env file in a public GitHub repository or a compromised developer machine. They POST to /api/v1/run/{flow_id} with the API Request component URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted instance. The response reveals the attached IAM role name. A second request to http://169.254.169.254/latest/meta-data/iam/security-credentials/{role_name} returns AccessKeyId, SecretAccessKey, and SessionToken. The attacker now holds valid AWS credentials with the instance role's full permissions—potentially S3 read/write, RDS access, or admin-level IAM rights—with zero victim interaction and no forensic trace in Langflow's application logs beyond standard API call records.