CVE-2025-68478 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

Any authenticated Langflow user — including low-privileged accounts — can overwrite arbitrary files on the server filesystem, including cron jobs, SSH keys, and web server configs, enabling full host compromise with a single API call. Upgrade to Langflow 1.7.1 immediately; if patching is blocked, isolate the Langflow instance behind a VPN or internal-only network until patching is complete. This is a trivial exploit requiring no special AI/ML knowledge.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	< 1.7.1	`1.7.1`
langflow	pip	—	No patch

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.1%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade Langflow to 1.7.1 immediately — this is the only full fix. 2. ISOLATE: If patching is blocked, restrict Langflow API access to trusted IPs/VPN only; remove public-facing exposure. 3. AUDIT: Review Langflow API logs for POST requests containing absolute paths in `fs_path` parameters; alert on paths outside the Langflow data directory. 4. FIM: Enable file integrity monitoring on the Langflow host for /etc/, /var/spool/cron/, ~/.ssh/, and web root directories. 5. LEAST PRIVILEGE: If running Langflow as root or with elevated OS permissions, switch to a dedicated low-privilege service account immediately. 6. CONTAINERS: Verify AppArmor/SELinux profiles or read-only filesystem mounts are in place to limit write scope if containerized.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks over time

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.

Exploitation Scenario

An adversary with a shared dev team Langflow account (or stolen low-privilege credentials) sends a POST request to the Flow save endpoint with `fs_path` set to `/etc/cron.d/persistence`. The Langflow server serializes a Flow JSON object — whose content can be partially controlled — to that path. If the JSON structure includes a comment-like line parseable as a valid cron expression, cron executes it on the next run interval. Alternatively, writing to `/home/ubuntu/.ssh/authorized_keys` injects an attacker SSH public key for persistent access. In an AI pipeline context, the attacker overwrites a scheduled Python training script at `/opt/ml/scripts/train.py` with a reverse shell payload, which executes when the next training run triggers, granting access to model weights, API keys stored as environment variables, and the full data science infrastructure.

Weaknesses (CWE)

CWE-610 Primary CWE-610 Externally Controlled Reference to a Resource in Another Sphere Primary CWE-73 Primary CWE-73 External Control of File Name or Path Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

References

Timeline

Published

December 19, 2025

Last Modified

January 3, 2026

First Seen

December 19, 2025