Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited, Warns CISA

CISA warns of active exploitation of critical Langflow vulnerability (CVE-2025-3248). Critical RCE flaw allows full server takeover. Patch to version 1.3.0 now!

In April 2025, cybersecurity researchers at Horizon3.ai discovered a critical security vulnerability, designated CVE-2025-3248 with 9.8 CVSS, within Langflow, a widely adopted open-source tool for building agentic artificial intelligence (Agentic AI) workflows.

The flaw, a code injection vulnerability, posed a severe risk as it allowed unauthorized remote attackers to gain complete control over Langflow servers with ease. Although the security issue was fixed in Langflow version 1.3.0, the vulnerability has been actively exploited by threat actors.

This was revealed by the Cybersecurity and Infrastructure Security Agency (CISA), which added the vulnerability to its Known Exploited Vulnerabilities catalogue on May 5, 2025, highlighting its severity and the urgency of applying a patch.

For your information, the IBM and DataStax-backed project Langflow has a feature that lets users change and run the Python code that makes its visual parts work. This “remote code execution as a feature” is available to any user who has logged in. However, while intended for flexibility, it has inadvertently opened a critical security gap.

According to Horizon3.ai’s research, shared with Hackread.com, the vulnerability was identified in an unauthenticated API endpoint, /api/v1/validate/code, which was executing Python code based on untrusted user input. While initial analysis showed that Langflow attempts to parse and validate this input, researchers later discovered a clever method to bypass these checks- by exploiting how Python handles function decorators.

These decorators, typically used to enhance function behaviour, can in fact be arbitrary Python code. By injecting malicious code within a decorator, an attacker can execute commands on the server even without proper authentication.

Horizon3.ai demonstrated the severity of this flaw by showcasing how it could be used to establish a remote shell and even extract sensitive information from a Langflow server configured with authentication.

Following the public disclosure, another researcher (@_r00tuser) identified an alternative exploitation route leveraging Python’s default function argument. “Just throw the vulnerable code to DeepSeek, it will successfully construct the exploit code and even help you construct an echo POC,” the researcher posted on X.

#CVE-2025-3248 #DeepSeek在复现LangFlow 的代码执行漏洞，直接把出现漏洞的代码丢给DeepSeek，它成功构造出了漏洞利用代码，甚至还能帮你构造一个回显的POC。👍👍https://t.co/IAz2Zo8bVu pic.twitter.com/Mblnkwubrk

— kking (@_r00tuser) April 9, 2025

Users are strongly advised to update the tool to the newest version. The security patch implements authentication for the previously vulnerable endpoint. Organizations utilizing Langflow must prioritize upgrading to version 1.3.0 or implement strict network access controls to limit potential exposure.