9.8
CRITICAL
CVE-2025-3248
Langflow Code Injection Vulnerability
Description

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

INFO

Published Date :

April 7, 2025, 3:15 p.m.

Last Modified :

April 9, 2025, 7:15 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2025-3248 has a 14 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2025-3248 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Langflow langflow
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-3248.

URL Resource
https://github.com/langflow-ai/langflow/pull/6911
https://github.com/langflow-ai/langflow/releases/tag/1.3.0
https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Dockerfile

Updated: 1 day, 22 hours ago
0 stars 0 fork 0 watcher
Born at : April 27, 2025, 12:17 p.m. This repo has been linked 1 different CVEs too.

CVE-2025-3248 Langflow 사전 인증 원격 코드 실행 취약점 PoC

Updated: 1 day, 20 hours ago
0 stars 0 fork 0 watcher
Born at : April 27, 2025, 4:41 a.m. This repo has been linked 1 different CVEs too.

None

cve-2025-3248 langflow rce

Python

Updated: 1 week, 5 days ago
3 stars 0 fork 0 watcher
Born at : April 16, 2025, 2 p.m. This repo has been linked 1 different CVEs too.

POC of CVE-2025-3248, RCE of LangFlow

exp langflow poc cve-2025-3248

Python

Updated: 2 weeks, 4 days ago
1 stars 0 fork 0 watcher
Born at : April 10, 2025, 2:04 p.m. This repo has been linked 1 different CVEs too.

A vulnerability scanner for CVE-2025-3248 in Langflow applications. 用于扫描 Langflow 应用中 CVE-2025-3248 漏洞的工具。

ai langflow

Python

Updated: 1 week, 1 day ago
5 stars 0 fork 0 watcher
Born at : April 10, 2025, 11:45 a.m. This repo has been linked 1 different CVEs too.

备份的漏洞库,3月开始我们来维护

Updated: 2 days, 5 hours ago
931 stars 291 fork 291 watcher
Born at : March 4, 2025, 2:54 p.m. This repo has been linked 213 different CVEs too.

这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目

HTML

Updated: 1 week ago
3 stars 0 fork 0 watcher
Born at : Sept. 20, 2024, 3:27 a.m. This repo has been linked 239 different CVEs too.

本软件首先集成危害性较大框架和部分主流cms的rce(无需登录,或者登录绕过执行rce)和反序列化(利用链简单)。傻瓜式导入url即可实现批量getshell。批量自动化测试。例如:Thinkphp,Struts2,weblogic。出现的最新漏洞进行实时跟踪并且更新例如:log4jRCE,向日葵 禅道RCE 瑞友天翼应用虚拟化系统sql注入导致RCE大华智慧园区上传,金蝶云星空漏洞等等.

cve-2022-1388 cve-2022-22947 cve-2022-22954 cve-2022-22963 cve-2022-22965 cve-2022-23131 cve-2022-29464 cve-2022-30525 qvd-2023-6271 cve-2023-28432 qvd-2023-8621 cve-2023-34960 cve-2023-27372 cve-2024-25600 qvd-2024-11354 cve-2024-5084 cve-2024-36401 qvd-2024-44346 cve-2024-9047 cve-2025-3248

C++ C#

Updated: 6 days, 10 hours ago
260 stars 11 fork 11 watcher
Born at : Jan. 8, 2023, 5:21 a.m. This repo has been linked 43 different CVEs too.

一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.

Updated: 4 days, 2 hours ago
118 stars 18 fork 18 watcher
Born at : Jan. 5, 2023, 2:19 a.m. This repo has been linked 162 different CVEs too.

一个漏洞 PoC 知识库。A knowledge base for vulnerability PoCs(Proof of Concept), with 1k+ vulnerabilities.

poc

Dockerfile

Updated: 2 days, 8 hours ago
4117 stars 839 fork 839 watcher
Born at : Feb. 20, 2022, 6:43 a.m. This repo has been linked 443 different CVEs too.

None

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : Nov. 27, 2020, 8:35 p.m. This repo has been linked 29 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 2 days, 3 hours ago
6873 stars 1158 fork 1158 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 848 different CVEs too.

爬取secwiki和xuanwu.github.io/sec.today,分析安全信息站点、安全趋势、提取安全工作者账号(twitter,weixin,github等)

Python HTML

Updated: 2 days, 20 hours ago
1287 stars 220 fork 220 watcher
Born at : Feb. 19, 2019, 10:24 a.m. This repo has been linked 17 different CVEs too.

Pre-Built Vulnerable Environments Based on Docker-Compose

docker vulnerability-environment docker-compose vulhub dockerfile

PHP Shell HTML Ruby Python Java CSS JavaScript Perl Dockerfile

Updated: 2 days, 5 hours ago
18759 stars 4492 fork 4492 watcher
Born at : April 9, 2017, 10:13 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-3248 vulnerability anywhere in the article.

  • Cyber Security News
Critical Langflow Vulnerability Allows Malicious Code Injection – Technical Details Revealed

Cybersecurity researchers have uncovered a critical remote code execution (RCE) vulnerability in Langflow, an open-source platform widely used for visually composing AI-driven agents and workflows. De ... Read more

Published Date: Apr 24, 2025 (4 days, 23 hours ago)

The following table lists the changes that have been made to the CVE-2025-3248 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    Apr. 09, 2025

    Action Type Old Value New Value
    Added Reference https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/
  • New CVE Received by [email protected]

    Apr. 07, 2025

    Action Type Old Value New Value
    Added Description Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-306
    Added Reference https://github.com/langflow-ai/langflow/pull/6911
    Added Reference https://github.com/langflow-ai/langflow/releases/tag/1.3.0
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-3248 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
© cvefeed.io
Latest DB Update: Apr. 29, 2025 11:30