CVE-2025-3248

unknown KEV

Published 2025-06-17 · Modified 2025-05-05

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.

CISA KEV

Vendor: Langflow
Product: Langflow
Due date: 2025-05-26

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

{Vendor advisory: cisa-kev — This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: https://github.com/advisories/GHSA-c995-4fw3-j39m ; https://nvd.nist.gov/vuln/detail/CVE-2025-3248}

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52262 remote multiple

VeryLazyTech · 2025-04-18

Langflow 1.3.0 - Remote Code Execution (RCE)

Source code queued for fetch — refresh in a moment.

EDB-52364 webapps multiple

Raghad Abdallah Al-syouf · 2025-07-16

Langflow 1.2.x - Remote Code Execution (RCE)

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_multi/http/langflow_unauth_rce_cve_2025_3248 rank 600

Langflow AI RCE

Source fetch failed: fetch_error — view the original via the link above.

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	langflow	`<1.3.0`	`1.3.0`
PyPI	langflow-base	`<0.3.0`	`0.3.0`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.