CVE-2025-3248
Published: 07 April 2025
Summary
CVE-2025-3248 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Langflow versions prior to 1.3.0 contain a code injection vulnerability in the /api/v1/validate/code endpoint. The flaw stems from missing authentication controls combined with unsafe handling of user-supplied input, allowing arbitrary Python code execution through crafted requests to the endpoint.
A remote unauthenticated attacker can exploit the issue by sending specially formed HTTP requests directly to the affected API, achieving full remote code execution with the privileges of the Langflow process. This grants the attacker the ability to read, modify, or delete data and potentially pivot within the environment.
The official fix is included in Langflow 1.3.0, as referenced in the project's release notes and the associated pull request that addresses the endpoint. Organizations should upgrade immediately, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog.
The EPSS score remains consistently high near 0.93, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10011
Vulnerability details
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
- CWE(s)
- KEV Date Added
- 05 May 2025
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated code injection vulnerability in the public-facing Langflow web application's /api/v1/validate/code endpoint enables remote arbitrary Python code execution.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the /api/v1/validate/code endpoint before any code execution is permitted.
Requires identification and authentication of all users prior to allowing access to the unauthenticated code-execution endpoint.
Validates all input to the /validate/code endpoint to block generation and execution of arbitrary Python code.