CVE-2025-3248

Published Apr 7, 2025

Last updated 4 days ago

CVSS critical 9.8
Langflow

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-3248 is a code injection vulnerability that affects Langflow versions prior to 1.3.0. It exists in the `/api/v1/validate/code` endpoint, where a remote, unauthenticated attacker can send crafted HTTP requests to execute arbitrary code on the server. This vulnerability allows attackers to gain control of vulnerable Langflow servers without needing authentication. To remediate this vulnerability, users are advised to upgrade to Langflow version 1.3.0 or restrict network access to the application.

Description
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Source
disclosure@vulncheck.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

disclosure@vulncheck.com
CWE-306

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

7

  1. Top 5 Trending CVEs: 1 - CVE-2021-35587 2 - CVE-2025-30406 3 - CVE-2023-43622 4 - CVE-2025-24813 5 - CVE-2025-3248 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    13 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Hello. Today's 1day1ilne is CVE-2025-3248. https://t.co/BrsOFHQOpU A code injection vulnerability was discovered in LangFlow, an AI agent build and deployment tool. It seems to be a vulnerability that must be considered in the structure that executes the code created by LLM.

    @hackyboiz

    13 Apr 2025

    578 Impressions

    3 Retweets

    12 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  3. New post from https://t.co/uXvPWJy6tj (Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), (Sat, Apr 12th)) has been published on https://t.co/Ks75lZZEqe https://t.co/mHthKlfdvo

    @WolfgangSesin

    13 Apr 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248) https://t.co/JF0V9puOft https://t.co/Zq10T16GZG

    @sans_isc

    13 Apr 2025

    1722 Impressions

    0 Retweets

    3 Likes

    2 Bookmarks

    1 Reply

    1 Quote

  5. Python製のWebアプリケーションLangflowに未認証のまま/api/v1/validate/codeエンドポイントを介して遠隔から任意コードを実行できる深刻な脆弱性(CVE-2025-3248)が報告された。 攻撃者は環境変数やシステム情報を窃取でき、最悪の場合はサーバを完全に制御される恐れがある。

    @yousukezan

    11 Apr 2025

    1888 Impressions

    4 Retweets

    9 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 CVE-2025-3248 - critical 🚨 Langflow AI - Unauthenticated Remote Code Execution > Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/val... 👾 https://t.co/T1ebXcxBJj @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    10 Apr 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-3248 : Abusing Python Exec for Unauth RCE in Langflow AI https://t.co/Jti0akPbPu https://t.co/S5sPwJvotT

    @freedomhack101

    10 Apr 2025

    64 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. We discovered an interesting code injection vulnerability, CVE-2025-3248, affecting #Langflow, a popular agentic AI workflow tool. This enables unauthenticated attackers to fully compromise Langflow servers. https://t.co/o3YQ3fE4XR

    @Horizon3Attack

    9 Apr 2025

    4307 Impressions

    31 Retweets

    58 Likes

    27 Bookmarks

    0 Replies

    1 Quote

  9. #CVE-2025-3248 #DeepSeek 在复现LangFlow 的代码执行漏洞,直接把出现漏洞的代码丢给DeepSeek,它成功构造出了漏洞利用代码,甚至还能帮你构造一个回显的POC。👍👍 https://t.co/IAz2Zo8bVu https://t.co/Mblnkwubrk

    @_r00tuser

    9 Apr 2025

    6118 Impressions

    5 Retweets

    33 Likes

    18 Bookmarks

    2 Replies

    3 Quotes

  10. 🚨 CVE-2025-3248 ⚠️🔴 CRITICAL (9.8) 🏢 langflow-ai - langflow 🏗️ 0 🔗 https://t.co/U0TYl8iBYh 🔗 https://t.co/PpHHROS8RM #CyberCron #VulnAlert #InfoSec https://t.co/aHS28cMGdL

    @cybercronai

    9 Apr 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 CVE-2025-3248 ⚠️🔴 CRITICAL (9.8) 🏢 langflow-ai - langflow 🏗️ 0 🔗 https://t.co/U0TYl8iBYh 🔗 https://t.co/PpHHROS8RM #CyberCron #VulnAlert #InfoSec https://t.co/eC48ludHMp

    @cybercronai

    8 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-3248 Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP r… https://t.co/vkAyMN2fpw

    @CVEnew

    7 Apr 2025

    383 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References