Critical Langflow Vulnerability (cve-2025-3248) Actively Exploited, Warns Cisa

CISA warns of progressive exploitation of captious Langflow vulnerability (CVE-2025-3248). Critical RCE flaw allows afloat server takeover. Patch to type 1.3.0 now!

In April 2025, cybersecurity researchers astatine Horizon3.ai discovered a captious information vulnerability, designated CVE-2025-3248 pinch 9.8 CVSS, wrong Langflow, a wide adopted open-source instrumentality for building agentic artificial intelligence (Agentic AI) workflows.

The flaw, a codification injection vulnerability, posed a terrible consequence arsenic it allowed unauthorized distant attackers to summation complete power complete Langflow servers pinch ease. Although nan information rumor was fixed successful Langflow type 1.3.0, nan vulnerability has been actively exploited by threat actors.

This was revealed by nan Cybersecurity and Infrastructure Security Agency (CISA), which added nan vulnerability to its Known Exploited Vulnerabilities catalogue connected May 5, 2025, highlighting its severity and nan urgency of applying a patch.

For your information, nan IBM and DataStax-backed task Langflow has a characteristic that lets users alteration and tally nan Python codification that makes its ocular parts work. This “remote codification execution arsenic a feature” is disposable to immoderate personification who has logged in. However, while intended for flexibility, it has inadvertently opened a captious information gap.

According to Horizon3.ai’s research, shared pinch Hackread.com, nan vulnerability was identified successful an unauthenticated API endpoint, /api/v1/validate/code, which was executing Python codification based connected untrusted personification input. While first study showed that Langflow attempts to parse and validate this input, researchers later discovered a clever method to bypass these checks- by exploiting really Python handles usability decorators.

These decorators, typically utilized to heighten usability behaviour, tin successful truth beryllium arbitrary Python code. By injecting malicious codification wrong a decorator, an attacker tin execute commands connected nan server moreover without due authentication.

Horizon3.ai demonstrated nan severity of this flaw by showcasing really it could beryllium utilized to found a distant ammunition and moreover extract delicate accusation from a Langflow server configured pinch authentication.

Following nan nationalist disclosure, different interrogator (@_r00tuser) identified an replacement exploitation way leveraging Python’s default usability argument. “Just propulsion nan susceptible codification to DeepSeek, it will successfully conception nan utilization codification and moreover thief you conception an echo POC,” nan interrogator posted connected X.

#CVE-2025-3248 #DeepSeek
在复现LangFlow 的代码执行漏洞，直接把出现漏洞的代码丢给DeepSeek，它成功构造出了漏洞利用代码，甚至还能帮你构造一个回显的POC。👍👍https://t.co/IAz2Zo8bVu pic.twitter.com/Mblnkwubrk

Install Patches NOW!

Users are powerfully advised to update nan instrumentality to nan newest version. The information spot implements authentication for nan antecedently susceptible endpoint. Organizations utilizing Langflow must prioritize upgrading to type 1.3.0 aliases instrumentality strict web entree controls to limit imaginable exposure.