CVE-2025-3248 – Langflow

CVSS 9.8 CRITICAL Critical or Zero Day – Immediate Deployment

“An exposed API endpoint should never become an open door to your entire system.”

This update addresses CVE-2025-3248, a critical code injection vulnerability affecting Langflow versions prior to 1.3.0. The vulnerability exists in the /api/v1/validate/code endpoint, where a remote, unauthenticated attacker can send crafted HTTP requests to execute arbitrary code on the affected system. The CVSS score is 9.8, which is Critical severity.

The update removes the code injection weakness in the affected API endpoint, preventing unauthenticated attackers from executing arbitrary code. Active exploitation has been confirmed for this vulnerability. Organizations running affected Langflow versions should update to version 1.3.0 or later to mitigate the risk.

Key Details

Affected Product
Langflow Langflow
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-306
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.