CVE-2025-68478 — HIGH (CVSS 7.1) AI Security Vulnerability

Q: Is CVE-2025-68478 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-68478, increasing the risk of exploitation.

Q: How to fix CVE-2025-68478?

1. PATCH: Upgrade Langflow to 1.7.1 immediately — this is the only full fix. 2. ISOLATE: If patching is blocked, restrict Langflow API access to trusted IPs/VPN only; remove public-facing exposure. 3. AUDIT: Review Langflow API logs for POST requests containing absolute paths in `fs_path` parameters; alert on paths outside the Langflow data directory. 4. FIM: Enable file integrity monitoring on the Langflow host for /etc/, /var/spool/cron/, ~/.ssh/, and web root directories. 5. LEAST PRIVILEGE: If running Langflow as root or with elevated OS permissions, switch to a dedicated low-privilege service account immediately. 6. CONTAINERS: Verify AppArmor/SELinux profiles or read-only filesystem mounts are in place to limit write scope if containerized.

Q: What systems are affected by CVE-2025-68478?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI development platforms, model serving, training pipelines.

Q: What is the CVSS score for CVE-2025-68478?

CVE-2025-68478 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.02%.

CISO Take

Any authenticated Langflow user — including low-privileged accounts — can overwrite arbitrary files on the server filesystem, including cron jobs, SSH keys, and web server configs, enabling full host compromise with a single API call. Upgrade to Langflow 1.7.1 immediately; if patching is blocked, isolate the Langflow instance behind a VPN or internal-only network until patching is complete. This is a trivial exploit requiring no special AI/ML knowledge.

Risk Assessment

High practical risk despite low EPSS. The exploit requires only a valid Langflow account and network access — no brute-forcing, no complex chaining. High integrity impact (arbitrary file write anywhere on the filesystem) means an attacker can escalate to full server compromise via cron persistence, SSH key injection, or overwriting application configs. Organizations exposing Langflow to shared dev teams, contractors, or the public internet face the highest exposure. Not in CISA KEV and EPSS is low, indicating no confirmed mass exploitation yet — patch before that changes.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →
langflow	pip	< 1.7.1	`1.7.1`
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A Low

Recommended Action

6 steps

PATCH

Upgrade Langflow to 1.7.1 immediately — this is the only full fix.
ISOLATE

If patching is blocked, restrict Langflow API access to trusted IPs/VPN only; remove public-facing exposure.
AUDIT

Review Langflow API logs for POST requests containing absolute paths in fs_path parameters; alert on paths outside the Langflow data directory.
FIM

Enable file integrity monitoring on the Langflow host for /etc/, /var/spool/cron/, ~/.ssh/, and web root directories.
LEAST PRIVILEGE

If running Langflow as root or with elevated OS permissions, switch to a dedicated low-privilege service account immediately.
CONTAINERS

Verify AppArmor/SELinux profiles or read-only filesystem mounts are in place to limit write scope if containerized.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks over time

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-68478?

Any authenticated Langflow user — including low-privileged accounts — can overwrite arbitrary files on the server filesystem, including cron jobs, SSH keys, and web server configs, enabling full host compromise with a single API call. Upgrade to Langflow 1.7.1 immediately; if patching is blocked, isolate the Langflow instance behind a VPN or internal-only network until patching is complete. This is a trivial exploit requiring no special AI/ML knowledge.

Is CVE-2025-68478 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-68478, increasing the risk of exploitation.

How to fix CVE-2025-68478?

1. PATCH: Upgrade Langflow to 1.7.1 immediately — this is the only full fix. 2. ISOLATE: If patching is blocked, restrict Langflow API access to trusted IPs/VPN only; remove public-facing exposure. 3. AUDIT: Review Langflow API logs for POST requests containing absolute paths in `fs_path` parameters; alert on paths outside the Langflow data directory. 4. FIM: Enable file integrity monitoring on the Langflow host for /etc/, /var/spool/cron/, ~/.ssh/, and web root directories. 5. LEAST PRIVILEGE: If running Langflow as root or with elevated OS permissions, switch to a dedicated low-privilege service account immediately. 6. CONTAINERS: Verify AppArmor/SELinux profiles or read-only filesystem mounts are in place to limit write scope if containerized.

What systems are affected by CVE-2025-68478?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, AI development platforms, model serving, training pipelines.

What is the CVSS score for CVE-2025-68478?

CVE-2025-68478 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.

Exploitation Scenario

An adversary with a shared dev team Langflow account (or stolen low-privilege credentials) sends a POST request to the Flow save endpoint with `fs_path` set to `/etc/cron.d/persistence`. The Langflow server serializes a Flow JSON object — whose content can be partially controlled — to that path. If the JSON structure includes a comment-like line parseable as a valid cron expression, cron executes it on the next run interval. Alternatively, writing to `/home/ubuntu/.ssh/authorized_keys` injects an attacker SSH public key for persistent access. In an AI pipeline context, the attacker overwrites a scheduled Python training script at `/opt/ml/scripts/train.py` with a reverse shell payload, which executes when the next training run triggers, granting access to model weights, API keys stored as environment variables, and the full data science infrastructure.