CVE-2025-3248

Critical KEV CVSS: 9.8

Langflow versions prior to 1.3.0 are susceptible to code injection in
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.

Vendor

Langflow

Product

Langflow

CWE

CWE-306

Yayın Tarihi

2025-04-07 15:15:44

Güncelleme

2025-11-06 13:57:48

Source Identifier

disclosure@vulncheck.com

KEV Date Added

2025-05-05

Kategoriler

CWE-306 Langflow CRITICAL Langflow 2025

Referanslar

https://github.com/langflow-ai/langflow/pull/6911 https://github.com/langflow-ai/langflow/releases/tag/1.3.0 https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/ https://www.vulncheck.com/advisories/langflow-unauthenticated-rce https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248

Benzer Kayıtlar

Critical

CVE-2026-33873

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assis…

High

CVE-2026-33484

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/ap…

High

CVE-2026-33497

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_p…

Critical

CVE-2026-33475

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection…

Critical

CVE-2026-33309

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypas…

Medium

CVE-2026-33053

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_ap…