Vulnerabilities > CVE-2025-3248

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

NVD

Published: 2025-04-07

Updated: 2025-05-06

Summary

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

References

https://github.com/langflow-ai/langflow/pull/6911
https://github.com/langflow-ai/langflow/releases/tag/1.3.0
https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

Vulnerabilities > CVE-2025-3248 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2025-3248"}]}

Summary

Related news

References

Vulnerabilities > CVE-2025-3248