PRP: Langflow CVE-2025-34291 CORS Misconfiguration to RCE

[saurabhb-dev]

• Identifier of the vulnerability: CVE-2025-34291 and GHSA-577h-p2hh-v4mv
• Affected software: Langflow (versions <= 1.6.9)
• Type of vulnerability: CORS Misconfiguration / Account Takeover / RCE
• Requires authentication: No
• Language you would use for writing the plugin: Templated plugins
• Resources:
  • GHSA-577h-p2hh-v4mv
  • https://nvd.nist.gov/vuln/detail/CVE-2025-34291
  • https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 0 issues tagged as main;
• The contributor has 0 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[saurabhb-dev]

Hi @tooryx , Does assigned means I can start working on it?

[tooryx]

Hi @saurabhb-dev,

No, please for the panel decision.

Thank you,
~tooryx