CVE-2025-68478

High CVSS: 7.1

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.

Vendor

Langflow

Product

Langflow

CWE

CWE-73

Yayın Tarihi

2025-12-19 18:15:51

Güncelleme

2026-01-02 16:20:53

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-73 Langflow HIGH Langflow 2025

Referanslar

https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4 https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4

Benzer Kayıtlar

Critical

CVE-2026-33873

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assis…

High

CVE-2026-33484

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/ap…

High

CVE-2026-33497

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_p…

Critical

CVE-2026-33475

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection…

Critical

CVE-2026-33309

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypas…

Medium

CVE-2026-33053

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_ap…