The following Python script is provided to scan, verify, or query the system telemetry:
#!/usr/bin/env python3
import json
import os
import re
import subprocess
from pathlib import Path
OUT = Path(os.environ.get("OUT", "hp-langflow-cve-2025-34291-closure")).resolve()
CVE = "CVE-2025-34291"
NVD_VULN_END = "1.6.9"
FIRST_PATCHED = "1.7.0"
SOURCE = "https://github.com/advisories/GHSA-577h-p2hh-v4mv"
def vt(value):
return tuple(int(x) for x in re.findall(r"\d+", str(value))[:4])
def ge(left, right):
l, r = vt(left), vt(right)
width = max(len(l), len(r), 1)
return l + (0,) * (width - len(l)) >= r + (0,) * (width - len(r))
OUT.mkdir(parents=True, exist_ok=True)
result = {"cve": CVE, "first_patched_version": FIRST_PATCHED, "source": SOURCE, "python_runtime": [], "docker_images": []}
pip_cmds = [["python3", "-m", "pip", "show", "langflow"], ["python", "-m", "pip", "show", "langflow"]]
for cmd in pip_cmds:
try:
proc = subprocess.run(cmd, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=20)
except Exception as exc:
result["python_runtime"].append({"cmd": cmd, "error": str(exc)})
continue
version = ""
for line in proc.stdout.splitlines():
if line.lower().startswith("version:"):
version = line.split(":", 1)[1].strip()
if version:
result["python_runtime"].append({
"cmd": cmd,
"installed_version": version,
"nvd_vulnerable_end_including": NVD_VULN_END,
"first_patched_version": FIRST_PATCHED,
"at_or_above_first_patched": ge(version, FIRST_PATCHED),
})
try:
proc = subprocess.run(["docker", "images", "--format", "{{.Repository}}:{{.Tag}} {{.ID}}"], text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=30)
for line in proc.stdout.splitlines():
if "langflow" in line.lower():
result["docker_images"].append({"image": line, "selector": "langflow"})
except Exception as exc:
result["docker_error"] = str(exc)
(OUT / "langflow-cve-2025-34291-version-verification.json").write_text(json.dumps(result, indent=2, sort_keys=True), encoding="utf-8")
# Remediation trigger: any runtime or image at Langflow 1.6.9 or earlier remains open for CVE-2025-34291.
print(json.dumps({"out": str(OUT), "runtime_checks": len(result["python_runtime"]), "docker_hits": len(result["docker_images"])}, indent=2))