A recently disclosed Critical Lack of Security that affects the Langflow platform with open source added to well -known exploited vulnerabilities (Ship) A catalog by the US Agency on Cybersecurity and Infrastructure (CISA), citing evidence of active operation.
Vulnerability tracked as Cve-2025-3248It carries the CVSS 9.8 with a maximum of 10.0.
“Langflow contains missing authentication vulnerability in/API/V1/Codid/Code Endpoint, which allows a remote, unauthorized attacker to perform an arbitrary code using the developed HTTP requests,” Cisa said.
In particular, it was found that the final point is incorrectly caused by the built -in Python Exec () the code provided by users without proper authentication and sandbox, allowing the attackers to perform arbitrary commands on the server.
The disadvantage affecting most versions of the popular instrument has been addressed to Version 1.3.0 Released on March 31, 2025. Horizon3.ai was credited to detect and shortage report in February.
According to the company, vulnerability is “Easily exploit“And allows the unauthorized remote attackers to take control of the Langflow server. Since then, proof of concept (POC) has been made Publicly available As of April 9, 2025, other researchers.
Data Platform Surface Supervision Censing show There are 466 copies that are subjected to the Internet, most of them concentrated in the US, Germany, Singapore, India and China.
It is currently unknown how vulnerability harshly treats real attacks, whom and for what purpose. Federal Civil Executive Agency (FCEB) has time before May 26, 2025 to apply corrections.
“CVE-2025-3248 emphasizes the risk of dynamic code without safe authentication and sandbox measures,” Zscaler noted Last month. “This vulnerability serves as a critical reminder for organizations to approach code checks with care, especially in the internet applications.”
