Langflow <1.3.0 Remote Unauth Code Injection via API/v1/validate/code
CVE-2025-3248 Published on April 7, 2025

Langflow < 1.3.0 Unauthenticated RCE via /api/v1/validate/code
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Github Repository NVD

Known Exploited Vulnerability

This Langflow Missing Authentication Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.

The following remediation steps are recommended / required by May 26, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2025-3248 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.


Products Associated with CVE-2025-3248

Want to know whenever a new CVE is published for Langflow? stack.watch will email you.

Langflow
 

Affected Versions

langflow-ai langflow:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-3248

Package Manager Vulnerable Package Versions Fixed In
pip langflow < 1.3.0 1.3.0
pip langflow-base < 0.3.0 0.3.0
pip langflow <= 1.8.1

Exploit Probability

EPSS
91.81%
Percentile
99.69%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.