Detect CVE-2025-34291: Langflow Origin Validation Error Exploitation in Splunk
Detects exploitation of CVE-2025-34291, an origin validation error (CWE-346) in Langflow that allows attackers to bypass origin checks. This vulnerability is actively exploited in the wild (CISA KEV) and may enable unauthorized access to Langflow API endpoints, flow execution, or administrative functions by bypassing cross-origin restrictions.
MITRE ATT&CK
SPL Detection Query
index=web OR index=proxy OR index=nginx OR index=apache
| where (uri_path IN ("/api/v1/*", "/api/v2/*", "/flows*", "/run*", "/build*") OR host IN ("langflow", "langflow-api") OR app="langflow")
| eval referer_host=if(isnull(http_referer) OR http_referer="" OR http_referer="null", "MISSING", replace(http_referer, "^https?://([^/]+).*", "\1"))
| eval request_host=if(isnull(host), dest, host)
| eval origin_mismatch=if(referer_host=="MISSING" OR (referer_host!="MISSING" AND referer_host!=request_host), 1, 0)
| where origin_mismatch=1
| where http_method IN ("POST", "PUT", "DELETE", "PATCH")
| where status IN (200, 201, 202, 204)
| eval suspicious_origin=case(
http_referer IS NULL OR http_referer="", "Missing Referer",
http_referer="null", "Null Origin Bypass",
referer_host!=request_host, "Cross-Origin Mismatch",
true(), "Unknown"
)
| stats count AS request_count, values(uri_path) AS endpoints_hit, values(http_method) AS methods_used, values(status) AS response_codes BY src_ip, suspicious_origin, span(1m)
| where request_count > 2
| sort -request_countDetects potential CVE-2025-34291 exploitation by identifying mutating HTTP requests to Langflow API paths with missing, null, or mismatched Origin/Referer headers indicating origin validation bypass.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated monitoring tools and health checkers that omit Referer headers
- Internal service-to-service API calls that do not include browser-style headers
- Developers using curl, Postman, or similar tooling without explicit Origin headers
- Reverse proxy configurations that strip or rewrite Origin/Referer headers before logging
Other platforms for CVE-2025-34291
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-34291 - Missing Origin Header Flow Execution
Expected signal: Web server access log entry with POST to /api/v1/run/FLOW_ID, empty Referer field, HTTP 200 response code, source IP of test machine
- Test 2CVE-2025-34291 - Null Origin Header Bypass Attempt
Expected signal: Web server log showing POST to /api/v1/flows with Origin: null and Referer: null headers, response code 200 or 201
- Test 3CVE-2025-34291 - Cross-Origin Mismatch API Access
Expected signal: Web server log entry with POST to /api/v1/build/ path, Origin and Referer headers showing external domain not matching Langflow host, response code 200-204
- Test 4CVE-2025-34291 - Automated Flow Enumeration Without Origin
Expected signal: Multiple GET requests to Langflow API endpoints within short timeframe from same source IP, all with empty Referer, varying response codes depending on authentication state
Unlock Pro Content
Get the full detection package for CVE-2025-34291 including response playbook, investigation guide, and atomic red team tests.