External Control of File Name or Path in Langflow - CVE-2025-68478
Published: April 24, 2026
Vulnerability identifier: #VU127532
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-68478
CWE-ID: CWE-73
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Langflow
Affected software:
Langflow
Langflow
Detailed vulnerability description
The vulnerability allows a remote user to overwrite files on the server.
The vulnerability exists due to external control of file name or path in the flow creation endpoint and filesystem save logic when handling a request containing a user-supplied fs_path value. A remote user can send a specially crafted request to overwrite files on the server.
The written content is limited to serialized Flow JSON, and both absolute and relative paths are accepted.
How to mitigate CVE-2025-68478
Install security update from vendor's website.