AI Threat Alert
If your team runs Langflow in any cloud or internal environment, patch to 1.7.1 now—do not wait. An attacker with any valid API key can weaponize the API Request component to hit cloud metadata endpoints (AWS/GCP/Azure IMDS) and steal IAM credentials, turning a CVSS 6.5 into a full cloud account compromise. Treat this as critical in cloud-hosted deployments and restrict API key distribution immediately while patching.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langflow | pip | < 1.7.1 | 1.7.1 |
| langflow | pip | — | No patch |
Severity & Risk
Recommended Action
- 1. PATCH immediately: Upgrade Langflow to >= 1.7.1. 2. Network egress controls: Block outbound traffic from the Langflow server to 169.254.169.254 (cloud metadata), RFC-1918 ranges (10/8, 172.16/12, 192.168/16), and loopback interfaces at the host/container/firewall level. 3. If patching is delayed: Disable the API Request component in Langflow's component settings or restrict which components users can add to flows. 4. API key hygiene: Rotate all Langflow API keys. Assume any key accessible to external or untrusted parties is compromised—revoke and reissue. 5. Cloud hardening: Enable IMDSv2 on all AWS EC2 instances running Langflow (requires session-oriented requests, blocking simple SSRF). Apply equivalent protections on GCP and Azure. 6. Detection: Alert on outbound HTTP connections from the Langflow process to RFC-1918, 169.254.x.x, or localhost ranges. Monitor /api/v1/run endpoint calls for URL parameters containing private IP patterns.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue.
Exploitation Scenario
Attacker acquires a Langflow API key via a leaked .env file in a public GitHub repository or a compromised developer machine. They POST to /api/v1/run/{flow_id} with the API Request component URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on an AWS-hosted instance. The response reveals the attached IAM role name. A second request to http://169.254.169.254/latest/meta-data/iam/security-credentials/{role_name} returns AccessKeyId, SecretAccessKey, and SessionToken. The attacker now holds valid AWS credentials with the instance role's full permissions—potentially S3 read/write, RDS access, or admin-level IAM rights—with zero victim interaction and no forensic trace in Langflow's application logs beyond standard API call records.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
- github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5 Exploit Vendor
- github.com/advisories/GHSA-5993-7p27-66g5
- github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5
- nvd.nist.gov/vuln/detail/CVE-2025-68477
- github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5 Exploit Vendor