Is CVE-2025-34291 exploitable?

Yes — CVE-2025-34291 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2025-34291 a false positive?

No practitioners have marked CVE-2025-34291 a false positive so far (3 verdicts).

How do I remediate CVE-2025-34291?

Practitioners have shared remediation steps for CVE-2025-34291 — see the remediation notes on this page.

CVE-2025-34291

is CVE-2025-34291real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch

High · CVSS 8.8EPSS 25.2%CISA KEVCWE-346

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.

References

NVD MITRE CVE.org CISA KEV

Published Dec 5, 2025

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2025-34291/badge.svg)](https://www.truepositive.app/cve/CVE-2025-34291)

HTML

<a href="https://www.truepositive.app/cve/CVE-2025-34291"><img src="https://www.truepositive.app/cve/CVE-2025-34291/badge.svg" alt="TruePositive verdict for CVE-2025-34291"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

3 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: High (High 3) — CVSS base score 8.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Aisha RahmanCurated
Langflow Origin Validation Error Vulnerability — Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints. Listed in the CISA KEV catalog (added 2026-05-21) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~25%. Treat it as real and prioritize remediation over triage.
0
Remediation · Tomáš NovákCurated
Required action for Langflow Langflow: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. CISA set a federal remediation due date of 2026-06-04. After patching, verify the vulnerable path is no longer reachable before closing the finding.

Same weakness — CWE-346.

CVE-2015-4495CVSS 8.8KEVEPSS 70%
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

CVE-2025-34291

Community ground truth

Field notes & remediation

Related CVEs