Code Injection Vulnerability in Langflow by Langflow AI
CVE-2025-3248
Key Information:
- Vendor
- Langflow-ai
- Status
- Langflow
- Vendor
- CVE Published:
- 7 April 2025
Badges
What is CVE-2025-3248?
CVE-2025-3248 is a code injection vulnerability identified within the Langflow application developed by Langflow AI. This application facilitates the integration and management of AI workflows, allowing users to streamline various operations. The vulnerability specifically exists in the /api/v1/validate/code endpoint for versions prior to 1.3.0. If exploited, an attacker can send specially crafted HTTP requests that may enable them to execute arbitrary code on the server, significantly threatening the integrity and security of organizations using Langflow.
Technical Details
The vulnerability arises from improper input validation in the affected API endpoint. By sending maliciously constructed code through HTTP requests, an unauthenticated remote attacker could manipulate the server into executing unintended commands. This flaw underscores critical concerns related to the security practices of the application, emphasizing the importance of robust input validation mechanisms.
Potential Impact of CVE-2025-3248
-
Arbitrary Code Execution: Attackers can exploit this vulnerability to gain control of the server running Langflow, potentially executing malicious code that could disrupt services or compromise sensitive data.
-
Data Breach Risk: Unauthorized code execution could lead to access and extraction of sensitive information, increasing the risk of data breaches and loss of confidential data.
-
Service Disruption: The successful exploitation of this vulnerability can result in the disruption of the Langflow service, affecting operational continuity and potentially resulting in financial losses for the organization.
Affected Version(s)
langflow 0 <= 1.2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles

Critical Langflow Flaw Enables Malicious Code Injection β Technical Breakdown Released
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-3248 with a CVSS score of 9.8, has been uncovered in Langflow.
1 week ago

Critical Langflow Flaw Enables Malicious Code Injection β Technical Breakdown Released
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-3248 with a CVSS score of 9.8, has been uncovered in Langflow.
1 week ago

Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248) - SANS Internet Storm Center
Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), Author: Johannes Ullrich
3 weeks ago
References
EPSS Score
83% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π
Vulnerability started trending
- π°
First article discovered by TheSecMaster
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved