A critical flaw found in the open source Langflow platform was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Langflow is a Python-based Web application, a popular tool in the realm of agentic AI that allows users to build AI-driven agents and workflows. The vulnerability, tracked as CVE-2025-3248, is described as a missing authentication flaw that allows remote attackers to compromise Langflow servers. With a CVSS score of 9.8, the vulnerability is considered critical and threatens Langflow versions prior to 1.3.0, which are susceptible to code injection in the /api/v1/validate/code endpoint.[1]
Researchers have found that the endpoint improperly invokes Python's built-in exec() function on user-supplied code without performing adequate authentication, ultimately allowing remote attackers to execute arbitrary commands.
Version 1.3.0 of Langflow was released only at the end of March 2025, and though it mentions several other fixes, according to researchers at SANS Technology Institute's Internet Storm Center, there are no mentions of a major vulnerability requiring fixing. "The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit," said Johannes Ullrich, dean of research at SANS Technology Institute, in a post last month detailing the vulnerability's exploit attempts. "Horizon3 published its blog on 9 April. We saw a first hit to the vulnerable URL, "/api/v1/validate/code", on 10 April. Today (12 April), we saw a significant increase in hits for this URL."
Horizon3.ai, which discovered the flaw, said CVE-2025-3248 is "easily exploitable" and noted that while the patch applies an authentication requirement, the vulnerability still can be exploited by attackers to elevate privileges from a regular user to a Langflow superuser. Horizon3.ai encouraged users to update to the latest Langflow version to mitigate against potential exploitation and to refrain from "exposing any recently developed AI tools to the Internet."
Related Article: https://redskyalliance.org/xindustry/german-bank-hit
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/vulnerabilities-threats/easily-exploitable-langflow-vulnerability-patching
Comments