CVE-2025-68478: Langflow File Control enables path

Q: Is CVE-2025-68478 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-68478, increasing the risk of exploitation.

Q: How to fix CVE-2025-68478?

1. PATCH: Upgrade Langflow to 1.7.1 immediately — this is the only full fix. 2. ISOLATE: If patching is blocked, restrict Langflow API access to trusted IPs/VPN only; remove public-facing exposure. 3. AUDIT: Review Langflow API logs for POST requests containing absolute paths in `fs_path` parameters; alert on paths outside the Langflow data directory. 4. FIM: Enable file integrity monitoring on the Langflow host for /etc/, /var/spool/cron/, ~/.ssh/, and web root directories. 5. LEAST PRIVILEGE: If running Langflow as root or with elevated OS permissions, switch to a dedicated low-privilege service account immediately. 6. CONTAINERS: Verify AppArmor/SELinux profiles or read-only filesystem mounts are in place to limit write scope if containerized.

Q: What systems are affected by CVE-2025-68478?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI development platforms, model serving, training pipelines.

Q: What is the CVSS score for CVE-2025-68478?

CVE-2025-68478 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 3.26%.

CISO Take

Any authenticated Langflow user — including low-privileged accounts — can overwrite arbitrary files on the server filesystem, including cron jobs, SSH keys, and web server configs, enabling full host compromise with a single API call. Upgrade to Langflow 1.7.1 immediately; if patching is blocked, isolate the Langflow instance behind a VPN or internal-only network until patching is complete. This is a trivial exploit requiring no special AI/ML knowledge.

What is the risk?

High practical risk despite low EPSS. The exploit requires only a valid Langflow account and network access — no brute-forcing, no complex chaining. High integrity impact (arbitrary file write anywhere on the filesystem) means an attacker can escalate to full server compromise via cron persistence, SSH key injection, or overwriting application configs. Organizations exposing Langflow to shared dev teams, contractors, or the public internet face the highest exposure. Not in CISA KEV and EPSS is low, indicating no confirmed mass exploitation yet — patch before that changes.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	< 1.7.1	`1.7.1`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

3.3%

chance of exploitation in 30 days

Higher than 87% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A Low

What should I do?

6 steps

PATCH

Upgrade Langflow to 1.7.1 immediately — this is the only full fix.
ISOLATE

If patching is blocked, restrict Langflow API access to trusted IPs/VPN only; remove public-facing exposure.
AUDIT

Review Langflow API logs for POST requests containing absolute paths in fs_path parameters; alert on paths outside the Langflow data directory.
FIM

Enable file integrity monitoring on the Langflow host for /etc/, /var/spool/cron/, ~/.ssh/, and web root directories.
LEAST PRIVILEGE

If running Langflow as root or with elevated OS permissions, switch to a dedicated low-privilege service account immediately.
CONTAINERS

Verify AppArmor/SELinux profiles or read-only filesystem mounts are in place to limit write scope if containerized.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks over time

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-68478?

Any authenticated Langflow user — including low-privileged accounts — can overwrite arbitrary files on the server filesystem, including cron jobs, SSH keys, and web server configs, enabling full host compromise with a single API call. Upgrade to Langflow 1.7.1 immediately; if patching is blocked, isolate the Langflow instance behind a VPN or internal-only network until patching is complete. This is a trivial exploit requiring no special AI/ML knowledge.

Is CVE-2025-68478 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-68478, increasing the risk of exploitation.

How to fix CVE-2025-68478?

1. PATCH: Upgrade Langflow to 1.7.1 immediately — this is the only full fix. 2. ISOLATE: If patching is blocked, restrict Langflow API access to trusted IPs/VPN only; remove public-facing exposure. 3. AUDIT: Review Langflow API logs for POST requests containing absolute paths in `fs_path` parameters; alert on paths outside the Langflow data directory. 4. FIM: Enable file integrity monitoring on the Langflow host for /etc/, /var/spool/cron/, ~/.ssh/, and web root directories. 5. LEAST PRIVILEGE: If running Langflow as root or with elevated OS permissions, switch to a dedicated low-privilege service account immediately. 6. CONTAINERS: Verify AppArmor/SELinux profiles or read-only filesystem mounts are in place to limit write scope if containerized.

What systems are affected by CVE-2025-68478?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI development platforms, model serving, training pipelines.

What is the CVSS score for CVE-2025-68478?

CVE-2025-68478 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 3.26%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow orchestrationAI development platformsmodel servingtraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.

Exploitation Scenario

An adversary with a shared dev team Langflow account (or stolen low-privilege credentials) sends a POST request to the Flow save endpoint with `fs_path` set to `/etc/cron.d/persistence`. The Langflow server serializes a Flow JSON object — whose content can be partially controlled — to that path. If the JSON structure includes a comment-like line parseable as a valid cron expression, cron executes it on the next run interval. Alternatively, writing to `/home/ubuntu/.ssh/authorized_keys` injects an attacker SSH public key for persistent access. In an AI pipeline context, the attacker overwrites a scheduled Python training script at `/opt/ml/scripts/train.py` with a reverse shell payload, which executes when the next training run triggers, granting access to model weights, API keys stored as environment variables, and the full data science infrastructure.

Weaknesses (CWE)

CWE-610 Externally Controlled Reference to a Resource in Another Sphere Primary CWE-610 Externally Controlled Reference to a Resource in Another Sphere Primary CWE-73 External Control of File Name or Path Primary CWE-73 External Control of File Name or Path Primary

CWE-610 — Externally Controlled Reference to a Resource in Another Sphere: The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Source: MITRE CWE corpus.