CVE-2025-3248

CVSS v2.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.3.0

Description The issue resides in the platform's

/api/v1/validate/code

endpoint, which improperly invokes Python's built-in

exec()

function on user-supplied code without authentication or sandboxing. This allows unauthenticated remote attackers to execute arbitrary code by sending specially crafted HTTP requests. The vulnerability has been present in Langflow versions dating back two years, affecting numerous installations around the globe. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing that all federal agencies must apply necessary patches by the approaching deadline of May 26.

Recommendations

Update Langflow to version 1.3.0 or later to address the RCE vulnerability.
Restrict API Access: Use firewall rules or access control lists (ACLs) to block access to the
```
/api/v1/validate/code
```
endpoint.
Restrict network access to eliminate exposure and reduce the likelihood of exploitation.

Exploit

Fix

RCE

Code Injection

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-306

Related Identifiers

BDU:2025-06683

CVE-2025-3248

GHSA-C995-4FW3-J39M

GHSA-RVQX-WPFH-MFX7

PYSEC-2025-36

Affected Products

Langflow

CVE-2025-3248

Weakness Enumeration

Related Identifiers

Affected Products

References · 312