CVE-2025-3248 – Langflow
“An exposed API endpoint should never become an open door to your entire system.”
This update addresses CVE-2025-3248, a critical code injection vulnerability affecting Langflow versions prior to 1.3.0. The vulnerability exists in the /api/v1/validate/code endpoint, where a remote, unauthenticated attacker can send crafted HTTP requests to execute arbitrary code on the affected system. The CVSS score is 9.8, which is Critical severity.
The update removes the code injection weakness in the affected API endpoint, preventing unauthenticated attackers from executing arbitrary code. Active exploitation has been confirmed for this vulnerability. Organizations running affected Langflow versions should update to version 1.3.0 or later to mitigate the risk.
Key Details
- Affected Product
- Langflow Langflow
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-306