Количество 2
Количество 2
CVE-2025-68478
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
GHSA-f43r-cc68-gpx4
External Control of File Name or Path in Langflow
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2025-68478 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue. | CVSS3: 7.1 | 0% Низкий | около 2 месяцев назад |
| GHSA-f43r-cc68-gpx4 External Control of File Name or Path in Langflow | CVSS3: 7.1 | 0% Низкий | около 2 месяцев назад |
Уязвимостей на страницу