A recent disclosure has revealed a critical security flaw in the open-source Langflow platform, which has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), due to evidence of active exploitation.
The vulnerability, identified as CVE-2025-3248, has a CVSS score of 9.8 out of 10.0, indicating a high level of severity.
According to CISA, “Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint, allowing a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.”
Specifically, the endpoint improperly invokes Python’s built-in exec() function on user-supplied code without adequate authentication or sandboxing, enabling attackers to execute arbitrary commands on the server.
The issue, which affects most versions of the popular tool, has been addressed in version 1.3.0, released on March 31, 2025. Horizon3.ai is credited with discovering and reporting the flaw in February.
Horizon3.ai describes the vulnerability as “easily exploitable“, allowing unauthenticated remote attackers to gain control of Langflow servers. A proof-of-concept (PoC) exploit has been made publicly available as of April 9, 2025, by other researchers.
Data from attack surface management platform Censys indicates that there are 466 internet-exposed Langflow instances, with the majority concentrated in the United States, Germany, Singapore, India, and China.
The current exploitation of this vulnerability in real-world attacks, including the parties involved and their motives, is unknown. Federal Civilian Executive Branch (FCEB) agencies have until May 26, 2025, to apply the necessary fixes.
“CVE-2025-3248 highlights the risks of executing dynamic code without secure authentication and sandboxing measures,” Zscaler notes. “This vulnerability serves as a critical reminder for organizations to approach code-validation features with caution, particularly in applications exposed to the internet.”
