CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-3248

CVSS 9.8v3.1pub. 2025-04-07upd. 2025-11-06

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

🤖 AI Analysis
How it works

The /api/v1/validate/code endpoint does not require authentication (CWE-306 — missing authentication) and is vulnerable to code injection (CWE-94). A remote attacker sends a crafted HTTP request to this endpoint, injecting malicious code that is subsequently executed on the server side. The absence of any access control mechanisms allows any person with network access to the application to carry out the attack.

Impact

An attacker can execute arbitrary code on the server with Langflow process privileges, which in practice means complete system takeover — data theft, malware installation, or lateral movement in the network.

Mitigation & patch

Langflow must be immediately updated to version 1.3.0 or newer. The patch is available in the official GitHub project repository (tag 1.3.0). Until the update is applied, it is recommended to restrict network access to the Langflow instance to trusted IP addresses only.

Who is affected

Langflow versions earlier than 1.3.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Langflow

    APP
    Langflow
    < 1.3.0

CISA KEV — detailsi

Vendori
Langflow
Producti
Langflow
Added to KEVi
May 5, 2025
Remediation deadline (US Federal)i
May 26, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 26 maja 2025
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-33017CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Langflow: nieuwierzytelniony RCE przez endpoint budowania publicznych przepływów

CVE-2025-34291CRITICAL9.4⚠ KEVPL ✓ten sam produkt

Langflow: przejęcie konta i RCE przez błędną konfigurację CORS

CVE-2026-10134CRITICAL10.0ten sam produkt

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process...

CVE-2026-10140CRITICAL9.6ten sam produkt

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of ...

CVE-2026-7663CRITICAL9.1ten sam produkt

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project res...