Cyber Resilience

CVE-2025-3248

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 07 April 2025

Published
07 April 2025
Modified
06 November 2025
KEV Added
05 May 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9285 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3248 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Langflow versions prior to 1.3.0 contain a code injection vulnerability in the /api/v1/validate/code endpoint. The flaw stems from missing authentication controls combined with unsafe handling of user-supplied input, allowing arbitrary Python code execution through crafted requests to the endpoint.

A remote unauthenticated attacker can exploit the issue by sending specially formed HTTP requests directly to the affected API, achieving full remote code execution with the privileges of the Langflow process. This grants the attacker the ability to read, modify, or delete data and potentially pivot within the environment.

The official fix is included in Langflow 1.3.0, as referenced in the project's release notes and the associated pull request that addresses the endpoint. Organizations should upgrade immediately, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog.

The EPSS score remains consistently high near 0.93, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

CWE(s)
KEV Date Added
05 May 2025

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unauthenticated code injection vulnerability in the public-facing Langflow web application's /api/v1/validate/code endpoint enables remote arbitrary Python code execution.

Affected Assets

langflow
langflow
≤ 1.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the /api/v1/validate/code endpoint before any code execution is permitted.

prevent

Requires identification and authentication of all users prior to allowing access to the unauthenticated code-execution endpoint.

prevent

Validates all input to the /validate/code endpoint to block generation and execution of arbitrary Python code.

References