CVE-2025-3248
Langflow Unauth RCE
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- April 04, 2025
- Published Date
- April 07, 2025
- Last Updated
- April 09, 2025
- Vendor
- langflow-ai
- Product
- langflow
- Description
- Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
- Score
- 80.91% (Percentile: 99.08%) as of 2025-04-29
SSVC Information
- Exploitation
- none
- Technical Impact
- total
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2025-04-13 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/langflow_unauth_rce_cve_2025_3248.rb | 2025-04-29 11:01:22 UTC |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-3248.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
langflow_unauth_rce_cve_2025_3248
Type: metasploit • Created: Unknown
Metasploit module for CVE-2025-3248
minxxcozy/CVE-2025-3248-langflow-RCE
Type: github • Created: 2025-04-27 04:41:18 UTC • Stars: 0
CVE-2025-3248 Langflow 사전 인증 원격 코드 실행 취약점 PoC
verylazytech/CVE-2025-3248
Type: github • Created: 2025-04-16 14:00:02 UTC • Stars: 3
PuddinCat/CVE-2025-3248-POC
Type: github • Created: 2025-04-10 14:04:29 UTC • Stars: 1
POC of CVE-2025-3248, RCE of LangFlow
xuemian168/CVE-2025-3248
Type: github • Created: 2025-04-10 11:45:57 UTC • Stars: 5
A vulnerability scanner for CVE-2025-3248 in Langflow applications. 用于扫描 Langflow 应用中 CVE-2025-3248 漏洞的工具。