The U.S. Cybersecurity & Infrastructure Safety Company (CISA) has tagged a Langflow distant code execution vulnerability as actively exploited, urging organizations to use security updates and mitigations as quickly as potential.
The vulnerability is tracked as CVE-2025-3248 and is a essential unauthenticated RCE flaw that permits any attacker on the web to take full management of weak Langflow servers by exploiting an API endpoint flaw.
Langflow is an open-source visible programming instrument for constructing LLM-powered workflows utilizing LangChain elements. It offers a drag-and-drop interface to create, take a look at, and deploy AI brokers or pipelines with out writing full backend code.
The instrument, which has almost 60k stars and 6.3k forks on GitHub, is utilized by AI builders, researchers, and startups, for prototyping chatbots, information pipelines, agent methods, and AI purposes.
Langflow exposes an endpoint (/api/v1/validate/code) designed to validate user-submitted code. In weak variations, this endpoint doesn’t safely sandbox or sanitize the enter, permitting an attacker to ship malicious code to that endpoint and have it executed immediately on the server.
CVE-2025-3248 was fastened in model 1.3.0, launched on April 1, 2025, so it is beneficial to improve to that model or later to mitigate the dangers that come up from the flaw.
The patch was minimal, simply including authentication for the weak endpoint, involving no sandboxing or hardening.
The most recent Langflow model, 1.4.0, was launched earlier immediately and incorporates an extended checklist of fixes, so customers ought to improve to this launch.
Horizon3 researchers printed an in-depth technical weblog concerning the flaw on April 9, 2025, together with a proof-of-concept exploit.
The researchers warned concerning the excessive chance of exploitation for CVE-2025-3248, figuring out a minimum of 500 internet-exposed situations on the time.
Supply: Horizon3
Those that can not improve to a secure model instantly are beneficial to limit community entry to Langflow by placing it behind a firewall, authenticated reverse proxy, or VPN. Additionally, direct web publicity is discouraged.
CISA has given federal businesses till Could 26, 2025, to use the security replace or mitigations or cease utilizing the software program.
CISA has not supplied any particular particulars concerning the noticed exploitation exercise and has said that it’s at the moment unknown whether or not ransomware teams are exploiting the vulnerability.
For customers of Langflow, it is essential to remember Horizon3’s remarks concerning the instrument’s design, which, based on them, has poor privilege separation, no sandbox, and a historical past of RCEs “by design” stemming from its nature and supposed performance.
CVE-2025-3248 is the primary actually unauthenticated RCE flaw in Langflow, and given its energetic exploitation standing, rapid motion is required.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how you can defend towards them.
