4 min read
By: RedLegg's Cyber Threat Intelligence Team
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES:
Langflow Missing Authentication Vulnerability
CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-3248
Exploit or Proof of Concept (PoC): Yes – https://github.com/Praison001/CVE-2025-3248
Update: CVE-2025-3248 – Langflow Security Advisory
Description: CVE-2025-3248 is a critical remote code execution vulnerability in Langflow, an open-source platform for building AI-driven agents and workflows. The flaw arises from the absence of proper authentication in the /api/v1/validate/code endpoint, which improperly invokes Python's built-in exec() function on user-supplied code without adequate validation or sandboxing. This allows unauthenticated attackers to execute arbitrary commands on the server by sending crafted HTTP requests. The vulnerability affects all Langflow versions prior to 1.3.0.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-3248 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Security researchers have observed exploit attempts originating from TOR exit nodes, with attackers attempting to retrieve sensitive files such as /etc/passwd. Proof-of-concept exploits have been publicly released, and the vulnerability is considered easily exploitable.
Mitigation Recommendation: Administrators are strongly advised to update Langflow to version 1.3.0 or later, which addresses this vulnerability by requiring authentication for the affected endpoint. If immediate patching is not feasible, it is recommended to restrict access to the /api/v1/validate/code endpoint via firewall rules to trusted IP addresses and monitor systems for any unusual activity.
Note: Given the critical severity of this vulnerability and its active exploitation in the wild, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.