CVE-2025-3248 - Langflow Missing Authentication Vulnerability

Vulnerability Name

Langflow Missing Authentication Vulnerability

Description

Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: https://github.com/advisories/GHSA-c995-4fw3-j39m

https://nvd.nist.gov/vuln/detail/CVE-2025-3248

Related News Articles

New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS AttacksJune 17, 2025

Critical Langflow RCE flaw exploited to hack AI app serversMay 7, 2025

RCE flaw in tool for building AI agents exploited by attackers (CVE-2025-3248)May 6, 2025

Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation EvidenceMay 6, 2025