CVE-2025-34291 Sumo Logic CSE · Sumo

Detect CVE-2025-34291: Langflow Origin Validation Error Exploitation in Sumo Logic CSE

Detects exploitation of CVE-2025-34291, an origin validation error (CWE-346) in Langflow that allows attackers to bypass origin checks. This vulnerability is actively exploited in the wild (CISA KEV) and may enable unauthorized access to Langflow API endpoints, flow execution, or administrative functions by bypassing cross-origin restrictions.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Lateral Movement

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/access OR _sourceCategory=nginx OR _sourceCategory=apache
| where (%"url.path" matches "/api/v1/*" OR %"url.path" matches "/api/v2/*" OR %"url.path" matches "/flows*" OR %"url.path" matches "/run*" OR %"url.path" matches "/build*")
| where %"http.method" in ("POST","PUT","DELETE","PATCH")
| where %"http.status_code" in ("200","201","202","204")
| where isNull(%"http.referer") OR %"http.referer" = "" OR %"http.referer" = "null" OR (!isNull(%"http.referer") AND !contains(%"http.referer", %"http.host"))
| eval suspicious_origin = if(isNull(%"http.referer") OR %"http.referer" = "", "Missing Referer", if(%"http.referer" = "null", "Null Origin Bypass", "Cross-Origin Mismatch"))
| count by %"client.ip", suspicious_origin, %"url.path"
| where _count >= 3
| sort by _count desc
high severity medium confidence

Sumo Logic query detecting CVE-2025-34291 exploitation patterns by identifying Langflow API requests with anomalous Origin/Referer header characteristics from the same client IP.

Data Sources

Web Access LogsNginx Access LogsApache Access Logs

Required Tables

_sourceCategory=web/access_sourceCategory=nginx_sourceCategory=apache

False Positives & Tuning

  • Programmatic API consumers that do not emulate browser header behavior
  • Internal network scanners or vulnerability assessment tools probing Langflow endpoints
  • Cross-origin legitimate uses where Referer Policy is set to no-referrer
  • Automated flow execution pipelines that call Langflow API from non-browser contexts

Other platforms for CVE-2025-34291

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2025-34291 - Missing Origin Header Flow Execution

    Expected signal: Web server access log entry with POST to /api/v1/run/FLOW_ID, empty Referer field, HTTP 200 response code, source IP of test machine

  2. Test 2CVE-2025-34291 - Null Origin Header Bypass Attempt

    Expected signal: Web server log showing POST to /api/v1/flows with Origin: null and Referer: null headers, response code 200 or 201

  3. Test 3CVE-2025-34291 - Cross-Origin Mismatch API Access

    Expected signal: Web server log entry with POST to /api/v1/build/ path, Origin and Referer headers showing external domain not matching Langflow host, response code 200-204

  4. Test 4CVE-2025-34291 - Automated Flow Enumeration Without Origin

    Expected signal: Multiple GET requests to Langflow API endpoints within short timeframe from same source IP, all with empty Referer, varying response codes depending on authentication state

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-34291 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1552Unsecured Credentials

Same Tactic: Initial Access

Popular Detections