Plattform
python
Komponente
langflow
Behoben in
1.7.1
1.7.1
CVE-2025-68477 is a security vulnerability affecting Langflow versions up to 1.7.0. The flaw resides in the API Request component, which allows users to define HTTP requests within a flow. Due to insufficient validation, attackers can exploit this to send requests to internal resources, potentially leading to data exposure and unauthorized access. A fix is available in version 1.7.1.
This vulnerability allows an attacker to craft malicious flows that send arbitrary HTTP requests. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, an attacker can potentially access internal services and data that are not exposed to the public internet. This includes accessing cloud metadata endpoints (169.254.169.254) and private IP ranges (127.0.0.1, 10/172/192 ranges). The impact can range from information disclosure to complete compromise of internal systems, depending on the resources accessible via the HTTP requests. The lack of proper input validation significantly expands the attack surface.
CVE-2025-68477 was publicly disclosed on 2025-12-19. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation suggests a potential for rapid development and deployment of such exploits. The vulnerability's reliance on API key authentication means that compromised API keys significantly increase the risk of exploitation.
Organizations deploying Langflow in environments with internal services or cloud metadata endpoints are particularly at risk. Shared hosting environments where multiple users have access to Langflow flows also present a heightened risk, as a compromised flow from one user could potentially impact other users or the entire hosting infrastructure.
• python / langflow:
Get-Process -Name langflow | Select-Object -ExpandProperty Id• python / langflow: Examine Langflow flow definitions for API Request components with suspicious URLs or internal IP addresses.
• generic web: Monitor access logs for requests to /api/v1/run or /api/v1/run/advanced with unusual parameters.
• generic web: Check response headers for unexpected content or error codes originating from internal resources.
disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Langflow to version 1.7.1 or later, which includes the necessary fixes. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict access to the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) using strong authentication and authorization mechanisms. Implement a Web Application Firewall (WAF) to filter outbound HTTP requests and block those targeting internal IP addresses or cloud metadata endpoints. Regularly review and audit Langflow flows to identify and remove any potentially malicious configurations.
Aktualisieren Sie Langflow auf Version 1.7.0 oder höher. Dies behebt die SSRF-Schwachstelle in der API Request Komponente. Das Update kann über den Paketmanager durchgeführt werden, der zum Installieren von Langflow verwendet wurde, wie z.B. pip.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68477 is a HIGH severity vulnerability in Langflow versions ≤1.7.0 that allows attackers to send arbitrary HTTP requests through the API Request component, potentially exposing internal resources.
You are affected if you are using Langflow version 1.7.0 or earlier. Check your installed version and upgrade immediately.
Upgrade Langflow to version 1.7.1 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting access to flow execution endpoints.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests a potential for rapid development and deployment of exploits.
Refer to the Langflow project's official security advisories and release notes for detailed information and updates regarding CVE-2025-68477.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.