AI description
CVE-2025-3248 is a code injection vulnerability that affects Langflow versions prior to 1.3.0. It exists in the `/api/v1/validate/code` endpoint, where a remote, unauthenticated attacker can send crafted HTTP requests to execute arbitrary code on the server. This vulnerability allows attackers to gain control of vulnerable Langflow servers without needing authentication. To remediate this vulnerability, users are advised to upgrade to Langflow version 1.3.0 or restrict network access to the application.
- Description
- Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
- Source
- disclosure@vulncheck.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- disclosure@vulncheck.com
- CWE-306
- Hype score
- Not currently trending
『The issue resides in the platform’s /api/v1/validate/code endpoint, which improperly invokes Python’s built-in exec() function on user-supplied code without authentication or sandboxing.』 CVE-2025-3248: RCE vulnerability in Langflow https://t.co/CpWbbJaAnO
@autumn_good_35
24 Apr 2025
467 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
Critical RCE flaw (CVE-2025-3248) hits Langflow, allowing unauthenticated attackers to execute arbitrary code. Patch to v1.3.0 now! This follows the recent PyTorch vuln, signaling major RCE risks in AI tools. 🛡️ #Cybersecurity #Langflow #AI https://t.co/HzhqmhaYMe
@_F2po_
23 Apr 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3248 is a vulnerability that allows attackers to perform remote code execution by exploiting Langflow’s API endpoint. Mitigate this vulnerability immediately by updating to version 1.3.0. Learn more here: https://t.co/4d2zWD7xVI https://t.co/piYN2T9fUc
@Threatlabz
23 Apr 2025
30 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Metasploitが最新アップデートを発表。新オプション「PIPE_FETCH」でfetch payloadのコマンドサイズを大幅削減。BentoML(CVE-2025-27520)とLangflow(CVE-2025-3248)のRCEモジュール追加。各種モジュールの機能強化とバグ修正も実施。 https://t.co/URXHp3fibR
@01ra66it
19 Apr 2025
2463 Impressions
6 Retweets
48 Likes
9 Bookmarks
1 Reply
0 Quotes
🚨 AI devs, CVE-2025-3248 is a NIGHTMARE! 😱 Hackers can OWN your Langflow server w/ ZERO auth—CVSS 9.8 critical! Exploits are LIVE on TOR. Don’t let your AI workflows get pwned. 🛡️ Click for the ultimate guide to patch & protect + real PoCs. Be the hero who locks it do
@Squid_Sec
16 Apr 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2021-35587 2 - CVE-2025-30406 3 - CVE-2023-43622 4 - CVE-2025-24813 5 - CVE-2025-3248 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
13 Apr 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hello. Today's 1day1ilne is CVE-2025-3248. https://t.co/BrsOFHQOpU A code injection vulnerability was discovered in LangFlow, an AI agent build and deployment tool. It seems to be a vulnerability that must be considered in the structure that executes the code created by LLM.
@hackyboiz
13 Apr 2025
910 Impressions
4 Retweets
18 Likes
3 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), (Sat, Apr 12th)) has been published on https://t.co/Ks75lZZEqe https://t.co/mHthKlfdvo
@WolfgangSesin
13 Apr 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248) https://t.co/JF0V9puOft https://t.co/Zq10T16GZG
@sans_isc
13 Apr 2025
1845 Impressions
0 Retweets
3 Likes
2 Bookmarks
1 Reply
1 Quote
Python製のWebアプリケーションLangflowに未認証のまま/api/v1/validate/codeエンドポイントを介して遠隔から任意コードを実行できる深刻な脆弱性(CVE-2025-3248)が報告された。 攻撃者は環境変数やシステム情報を窃取でき、最悪の場合はサーバを完全に制御される恐れがある。
@yousukezan
11 Apr 2025
1888 Impressions
4 Retweets
9 Likes
5 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-3248 - critical 🚨 Langflow AI - Unauthenticated Remote Code Execution > Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/val... 👾 https://t.co/T1ebXcxBJj @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
10 Apr 2025
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3248 : Abusing Python Exec for Unauth RCE in Langflow AI https://t.co/Jti0akPbPu https://t.co/S5sPwJvotT
@freedomhack101
10 Apr 2025
64 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
We discovered an interesting code injection vulnerability, CVE-2025-3248, affecting #Langflow, a popular agentic AI workflow tool. This enables unauthenticated attackers to fully compromise Langflow servers. https://t.co/o3YQ3fE4XR
@Horizon3Attack
9 Apr 2025
4307 Impressions
31 Retweets
58 Likes
27 Bookmarks
0 Replies
1 Quote
#CVE-2025-3248 #DeepSeek 在复现LangFlow 的代码执行漏洞,直接把出现漏洞的代码丢给DeepSeek,它成功构造出了漏洞利用代码,甚至还能帮你构造一个回显的POC。👍👍 https://t.co/IAz2Zo8bVu https://t.co/Mblnkwubrk
@_r00tuser
9 Apr 2025
6118 Impressions
5 Retweets
33 Likes
18 Bookmarks
2 Replies
3 Quotes
🚨 CVE-2025-3248 ⚠️🔴 CRITICAL (9.8) 🏢 langflow-ai - langflow 🏗️ 0 🔗 https://t.co/U0TYl8iBYh 🔗 https://t.co/PpHHROS8RM #CyberCron #VulnAlert #InfoSec https://t.co/aHS28cMGdL
@cybercronai
9 Apr 2025
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-3248 ⚠️🔴 CRITICAL (9.8) 🏢 langflow-ai - langflow 🏗️ 0 🔗 https://t.co/U0TYl8iBYh 🔗 https://t.co/PpHHROS8RM #CyberCron #VulnAlert #InfoSec https://t.co/eC48ludHMp
@cybercronai
8 Apr 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3248 Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP r… https://t.co/vkAyMN2fpw
@CVEnew
7 Apr 2025
383 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes