{"data":{"id":"e3ce50d7-e9e6-4a9d-98f7-d0ca32be3dc8","title":"CVE-2025-34291: Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod","summary":"Langflow versions up to 1.6.9 have a chained vulnerability that allows attackers to take over user accounts and run arbitrary code on the system. The flaw combines two misconfigurations: overly permissive CORS settings (CORS, or cross-origin resource sharing, allows webpages from different domains to access each other) that accept requests from any origin with credentials, and refresh token cookies (a token used to get new access credentials) set to SameSite=None, which allows a malicious webpage to steal valid tokens and impersonate a victim.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-34291","publishedAt":"2025-12-06T04:15:47.433Z","cveId":"CVE-2025-34291","cweIds":["CWE-346"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.13292,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}