Back to KEVs

CVE-2025-3248

Langflow Unauth RCE

Basic Information

CVE State: PUBLISHED
Reserved Date: April 04, 2025
Published Date: April 07, 2025
Last Updated: April 09, 2025
Vendor: langflow-ai
Product: langflow
Description: Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 91.18% (Percentile: 99.61%) as of 2025-05-11

SSVC Information

Exploitation: none
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-05 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-05-05 18:10:44 UTC) Source

References

https://github.com/langflow-ai/langflow/pull/6911 https://github.com/langflow-ai/langflow/releases/tag/1.3.0 https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

Known Exploited Vulnerability Information

Source	Added Date
CVE	2025-04-13 00:00:00 UTC

Recent Mentions

Langflow: CVE-2025-3248: Active Exploitation

Source: RecordedFuture • Published: 2025-05-23 00:00:00 UTC

Learn about CVE-2025-3248 affecting Langflow. Patch now to prevent remote code execution.

Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence

Source: TheHackerNews • Published: 2025-05-06 04:24:00 UTC

A recently disclosed critical security flaw impacting the open-source Langflow platform has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-3248, carries a CVSS score of 9.8 out of a maximum of 10.0. "Langflow contains a missing

CISA Adds One Known Exploited Vulnerability to Catalog

Source: All CISA Advisories • Published: 2025-05-05 12:00:00 UTC

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-3248 Langflow Missing Authentication Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/langflow_unauth_rce_cve_2025_3248.rb	2025-04-29 11:01:22 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-3248.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Timeline

CVE ID Reserved

April 04, 2025
CVE Published to Public

April 07, 2025
Added to KEVIntel

April 13, 2025
Detected by Nuclei

April 26, 2025
Detected by Metasploit

April 29, 2025
Proof of Concept Exploit Available

May 05, 2025