CISA has added a newly disclosed vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation. The flaw, tracked as CVE-2025-3248, affects Langflow, an open-source visual framework for building applications powered by Large Language Models (LLMs).
With a CVSS score of 9.8, the issue is considered critical and has been found in nearly all Langflow versions released over the past two years.
The vulnerability is due to a missing authentication check in the /api/v1/validate/code endpoint, which allows unauthenticated users to send crafted HTTP requests that trigger Python’s exec() function. This allows arbitrary code execution on vulnerable servers.
Exploitation Demo
Credit: Horizon3.ai
Horizon3.ai, the firm that discovered the bug earlier this year, confirmed that the issue is easily exploitable and that Proof of Concept (PoC) code has already been made public.
Researchers, including those at the SANS Technology Institute, have observed exploitation attempts targeting the flaw in their honeypots, particularly following the public release of technical details and PoC code in early April.
Langflow released a patch in version 1.3.0 on March 31, 2025, adding an authentication requirement to the endpoint. However, researchers noted that while the update helps mitigate the risk, it does not fully eliminate the underlying problem. They also pointed out that Langflow’s design already permits regular users to execute code on the server, which complicates the effectiveness of the fix. In some cases, the vulnerability could be used to escalate privileges to a superuser role.
CISA recommends that all organizations using Langflow patch this vulnerability and, if possible, restrict network exposure to the framework. Under Binding Operational Directive 22-01, federal agencies in the U.S. have until May 26, 2025, to apply the necessary updates.
About the author:
