CVE-2025-3248
published 2025-04-07CVE-2025-3248: Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-05-26
Exploited in the wild
EPSS
99.97%
100.0th percentile
Langflow versions prior to 1.3.0 are susceptible to code injection in
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | < 1.9.0 | 1.9.0 |
| langflow | langflow | < 1.8.2 | 1.8.2 |
| langflow | langflow | < 1.3.0 | 1.3.0 |
| langflow | langflow | >= 0 < 1.3.0 | 1.3.0 |
| langflow | langflow | 0 – 1.8.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the /api/v1/validate/code endpoint; any request reaching this endpoint without a valid JWT Bearer token or x-api-key should be treated as suspicious. ↗
- →Detect payloads containing exec() with __import__("subprocess") patterns in POST bodies to /api/v1/validate/code, particularly those embedding system commands inside raise Exception() wrappers. ↗
- →Monitor for outbound curl/wget requests from the Langflow server process to external IPs, especially pipe-to-shell patterns (curl ... | sh), which indicate post-exploitation downloader activity. ↗
- →Hunt for reconnaissance commands (whoami, printenv, ip addr show, ifconfig, capsh --print, systemctl status sshd, cat /root/.bash_history) spawned as child processes of the Langflow application process. ↗
- →Detect exfiltration of .env and .db files from Langflow servers; monitor for reads of environment variable files and database files shortly after inbound POST requests to the validate/code endpoint. ↗
- →Flag Langflow server processes spawning network connections over TCP to unusual external IPs/ports, consistent with Flodrix botnet C2 communication for DDoS command receipt. ↗
- ·The vulnerability is distinct from CVE-2026-33017, which targets the /api/v1/build_public_tmp/{flow_id}/flow endpoint; both share the same exec()-without-sandboxing root cause but affect different endpoints. ↗
- ·The Flodrix botnet payload self-terminates and deletes itself if executed without a valid argument, meaning initial infection attempts may not leave persistent artifacts — defenders should focus on network-level and process-spawn indicators rather than file persistence alone. ↗
- ·CISA added CVE-2025-3248 to its Known Exploited Vulnerabilities catalog on May 5, 2025, confirming active in-the-wild exploitation; treat any unpatched Langflow instance as actively targeted. ↗
- ·Ongoing exploitation of CVE-2025-3248 has been linked to the Iranian threat group MuddyWater, indicating nation-state interest in this vulnerability beyond opportunistic botnet operators. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
osv·2026-03-17·CVSS 9.8
CVE-2026-33017 [CRITICAL] Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution.
This is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executabl
GHSA
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
ghsa·2026-03-17·CVSS 9.8
CVE-2026-33017 [CRITICAL] CWE-306 Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution.
This is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executabl
OSV
Langflow Unauth RCE
osv·2025-06-17
CVE-2025-3248 [CRITICAL] Langflow Unauth RCE
Langflow Unauth RCE
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
GHSA
Langflow Unauth RCE
ghsa·2025-06-17
CVE-2025-3248 [CRITICAL] CWE-94 Langflow Unauth RCE
Langflow Unauth RCE
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
OSV
CVE-2025-3248: Langflow versions prior to 1
osv·2025-04-07
CVE-2025-3248 CVE-2025-3248: Langflow versions prior to 1
Langflow versions prior to 1.3.0 are susceptible to code injection in
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.
VulnCheck
Langflow Missing Authentication Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-3248 [CRITICAL] CWE-306 Langflow Missing Authentication Vulnerability
Langflow Missing Authentication Vulnerability
Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.
Affected: Langflow Langflow
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/31850; https://censys.com/blog/scouting-a-threat-actor; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-06&host_type=src&vulnerability=cve-2025-3248; https://fortiguard.
CISA
Langflow Missing Authentication Vulnerability
cisa·2025-05-05·CVSS 9.8
CVE-2025-3248 [CRITICAL] CWE-306 Langflow Missing Authentication Vulnerability
Vulnerability: Langflow Missing Authentication Vulnerability
Affected: Langflow Langflow
Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: https://github.com/advisories/GHSA-c995-4fw3-j39m ; https://nvd.nist.gov/vuln/detail/CVE-2025-3248
Remediation Due Date: 2025-05-26
Suricata
ET WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code Execution via Code Validation Endpoint (CVE-2025-3248)
suricata·2025-04-10·CVSS 9.8
CVE-2025-3248 [CRITICAL] ET WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code Execution via Code Validation Endpoint (CVE-2025-3248)
ET WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code Execution via Code Validation Endpoint (CVE-2025-3248)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code Execution via Code Validation Endpoint (CVE-2025-3248)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/api/v1/validate/code"; fast_pattern; http.request_body; content:"import"; pcre:"/(?:\x5f{2}|\x5c[\x22\x27]|\x255[cC]\x252[27])import(?:\x5f{2}|\x20|\x2520)/"; reference:url,www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/; reference:cve,2025-3248; classtype:web-application-attack; sid:2061448; rev:1; metadata:affected_product Langflow, attack_target Server, tls_
Exploit-DB
Langflow 1.2.x - Remote Code Execution (RCE)
exploitdb·2025-07-16·CVSS 9.8
CVE-2025-3248 [CRITICAL] Langflow 1.2.x - Remote Code Execution (RCE)
Langflow 1.2.x - Remote Code Execution (RCE)
---
#!/usr/bin/env python3
# Exploit Title: Langflow 1.2.x - Remote Code Execution (RCE)
# Date: 2025-07-11
# Exploit Author: Raghad Abdallah Al-syouf
# Vendor Homepage: https://github.com/logspace-ai/langflow
# Software Link: https://github.com/logspace-ai/langflow/releases
# Version: <= 1.2.x
# Tested on: Ubuntu / Docker
# CVE: CVE-2025-3248
# Description:
#Langflow exposes a vulnerable endpoint `/api/v1/validate/code` that improperly evaluates arbitrary Python code via the `exec()` function. An unauthenticated remote attacker can execute arbitrary system commands.
# Usage:
#python3 cve-2025-3248.py http://target:7860 "id"
import requests
import argparse
import json
from urllib.parse import urljoin
from colorama import Fore, Style, init
Exploit-DB
Langflow 1.3.0 - Remote Code Execution (RCE)
exploitdb·2025-04-18·CVSS 9.8
CVE-2025-3248 [CRITICAL] Langflow 1.3.0 - Remote Code Execution (RCE)
Langflow 1.3.0 - Remote Code Execution (RCE)
---
# Exploit Title: Langflow 1.3.0 - Remote Code Execution (RCE)
# Date: 2025-04-17
# Exploit Author: VeryLazyTech
# Vendor Homepage: http://www.langflow.org/
# Software Link: https://github.com/langflow-ai/langflow
# Version: Langflow < 1.3.0
# Tested on: Windows Server 2019
# CVE: CVE-2025-3248
# CVE-2025-3248 - Remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code
# FOFA "Langflow"
# Medium: https://medium.com/@verylazytech
# GitHub: https://github.com/verylazytech
# Shop: https://shop.verylazytech.com
# Website: https://www.verylazytech.com
import argparse
import requests
import json
from urllib.parse import urljoin
import random
from colorama import init, Fore, Style
# Disable SSL warnings
request
Nuclei
Langflow AI - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-3248 [CRITICAL] Langflow AI - Unauthenticated Remote Code Execution
Langflow AI - Unauthenticated Remote Code Execution
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Template:
id: CVE-2025-3248
info:
name: Langflow AI - Unauthenticated Remote Code Execution
author: nvn1729
severity: critical
description: |
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
impact: |
Unauthenticated attackers can execute arbitrary code through crafted POST requests to the /api/v1/validate/code endpoint, achieving complete server compromise.
remediation: |
Upgrade to Lang
Metasploit
Langflow AI RCE
metasploit
Langflow AI RCE
Langflow AI RCE
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Hackernews
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
blogs_hackernews·2026-06-30·CVSS 9.8
CVE-2026-33017 [CRITICAL] Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner.
The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026.
"In this cam
Bleepingcomputer
Path traversal flaw in AI dev platform Langflow exploited in attacks
blogs_bleepingcomputer·2026-06-10·CVSS 9.8
CVE-2026-5027 [CRITICAL] Path traversal flaw in AI dev platform Langflow exploited in attacks
## Path traversal flaw in AI dev platform Langflow exploited in attacks
## Bill Toulas
CVE-2026-5027 is a high-severity path traversal flaw in Langflow's file upload functionality that fails to properly sanitize user-supplied filenames.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," explains Tenable , which discovered the flaw at the start of the year.
Tenable publicly disclosed the issue on March 27, 2026, more than two months after initially reporting it to the Langflow team without receiving a response.
Although Tenable did not mention a fix in its advisory, Snyk Security reported on March 30, 2026, that t
Hackernews
LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
blogs_hackernews·2026-03-27·CVSS 7.3
[HIGH] LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of LangChain for more sophisticated and non-linear agentic workflows. According to statistics on the Python Package Index (PyPI), LangChain, LangChain-Core,
Bleepingcomputer
CISA: New Langflow flaw actively exploited to hijack AI workflows
blogs_bleepingcomputer·2026-03-26·CVSS 9.8
CVE-2026-33017 [CRITICAL] CISA: New Langflow flaw actively exploited to hijack AI workflows
## CISA: New Langflow flaw actively exploited to hijack AI workflows
## Bill Toulas
Researchers at application security company Sysdig claim that hackers started exploiting CVE-2026-33017 on March 19, about 20 hours after the vulnerability advisory became public.
No public proof-of-concept (PoC) exploit code existed at the time, and Endor Labs believes that attackers built exploits directly from the information included in the advisory.
Automated scanning activity began in 20 hours, followed by exploitation using Python scripts in 21 hours, and data (.env and .db files) harvesting in 24 hours.
Langflow is a popular open-source visual framework for building AI workflows with 145,000 stars on GitHub . It provides a drag-and-drop interface for connecting nodes into executable pipelines,
Hackernews
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
blogs_hackernews·2026-03-20·CVSS 9.8
CVE-2026-33017 [CRITICAL] Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities.
The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution.
"The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication," according to Langflow's advisory for the f
Wiz
Crying Out Cloud Newsletter - July 2025 | Wiz
blogs_wiz·2025-07-01·CVSS 7.2
[HIGH] Crying Out Cloud Newsletter - July 2025 | Wiz
Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
## 🔍 Highlights
## Cryptojacking Campaign Targets Misconfigured DevOps Tools
Wiz Threat Research identified a cryptojacking campaign, attributed to the threat actor JINX-0132, actively exploiting misconfigured and publicly exposed DevOps tools—including HashiCorp Nomad, HashiCorp Consul, Docker, and Gitea—to deploy XMRig-based Monero miners.
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining
Trendmicro
Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
blogs_trendmicro·2025-06-17·CVSS 9.8
CVE-2025-3248 [CRITICAL] Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
Exploits y vulnerabilidades
## Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
This blog uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.
By: Aliakbar Zahravi, Ahmed Mohamed Ibrahim , Sunil Bharti, Shubham Singh Jun 17, 2025 Read time: ( words)
Save to Folio
Summary:
Trend™ Research has identified an active campaign exploiting CVE-2025-3248 to deliver the Flodrix botnet. Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware.
CVE-2025-3248 (CVSS 9.8) is a c
Trendmicro
Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
blogs_trendmicro·2025-06-17·CVSS 9.8
CVE-2025-3248 [CRITICAL] Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
Exploits & Vulnerabilities
## Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
This blog uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.
By: Aliakbar Zahravi, Ahmed Mohamed Ibrahim , Sunil Bharti, Shubham Singh 2025/06/17 Read time: ( words)
Save to Folio
Summary:
Trend™ Research has identified an active campaign exploiting CVE-2025-3248 to deliver the Flodrix botnet. Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware.
CVE-2025-3248 (CVSS 9.8) is a crit
Trendmicro
Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
blogs_trendmicro·2025-06-17·CVSS 9.8
CVE-2025-3248 [CRITICAL] Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
Ausnutzung von Schwachstellen
## Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
This blog uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.
By: Aliakbar Zahravi, Ahmed Mohamed Ibrahim , Sunil Bharti, Shubham Singh Jun 17, 2025 Read time: ( words)
Save to Folio
Summary:
Trend™ Research has identified an active campaign exploiting CVE-2025-3248 to deliver the Flodrix botnet. Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware.
CVE-2025-3248 (CVSS 9.8) is a
Trendmicro
Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
blogs_trendmicro·2025-06-17·CVSS 9.8
CVE-2025-3248 [CRITICAL] Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
Exploits & Vulnerabilities
# Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
This blog uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.
By: Aliakbar Zahravi, Ahmed Mohamed Ibrahim , Sunil Bharti, Shubham Singh
2025/06/17
Read time: ( words)
Save to Folio
Summary:
- Trend™ Research has identified an active campaign exploiting CVE-2025-3248 to deliver the Flodrix botnet. Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware.
- CVE-2025-3248 (CVSS 9.8) is a c
Trendmicro
Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
blogs_trendmicro·2025-06-17·CVSS 9.8
CVE-2025-3248 [CRITICAL] Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
Exploits & Vulnerabilities
## Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
This blog uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.
By: Aliakbar Zahravi, Ahmed Mohamed Ibrahim , Sunil Bharti, Shubham Singh Jun 17, 2025 Read time: ( words)
Save to Folio
Summary:
Trend™ Research has identified an active campaign exploiting CVE-2025-3248 to deliver the Flodrix botnet. Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware.
CVE-2025-3248 (CVSS 9.8) is a cr
Wiz
Crying Out Cloud Newsletter - June 2025 | Wiz
blogs_wiz·2025-06-01·CVSS 9.8
[CRITICAL] Crying Out Cloud Newsletter - June 2025 | Wiz
Welcome back!
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Here are our top picks of cloud security highlights!
## 🔍 Highlights
## Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild
On May 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE. Therefore, while neither of t
Bleepingcomputer
Critical Langflow RCE flaw exploited to hack AI app servers
blogs_bleepingcomputer·2025-05-06·CVSS 9.8
CVE-2025-3248 [CRITICAL] Critical Langflow RCE flaw exploited to hack AI app servers
## Critical Langflow RCE flaw exploited to hack AI app servers
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has tagged a Langflow remote code execution vulnerability as actively exploited, urging organizations to apply security updates and mitigations as soon as possible.
The vulnerability is tracked as CVE-2025-3248 and is a critical unauthenticated RCE flaw that allows any attacker on the internet to take full control of vulnerable Langflow servers by exploiting an API endpoint flaw.
Langflow is an open-source visual programming tool for building LLM-powered workflows using LangChain components. It provides a drag-and-drop interface to create, test, and deploy AI agents or pipelines without writing full backend code.
The tool, which has nearly 60k st
Zscaler
CVE-2025-3248: RCE vulnerability in Langflow | ThreatLabz
blogs_zscaler·2025-04-22·CVSS 9.8
[CRITICAL] CVE-2025-3248: RCE vulnerability in Langflow | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CXO Monthly Roundup, April 2025: New Threatlabz reports, HijackLoader, Mustang Panda, and Langflow | CXO Revolutionaries
blogs_zscaler
CXO Monthly Roundup, April 2025: New Threatlabz reports, HijackLoader, Mustang Panda, and Langflow | CXO Revolutionaries
TOP STORY
## CXO Monthly Roundup, April 2025: New Threatlabz reports, HijackLoader, Mustang Panda, and Langflow
Deepen Desai
Contributor
Zscaler
## May 14, 2025
Highlights from the Zscaler ThreatLabz team's April 2025 research.
The CXO Monthly Roundup (formerly the CISO Monthly Roundup) provides the latest threat research from the ThreatLabz team, along with insights on other cyber-related subjects that matter to technology executives. In April, ThreatLabz released two much-anticipated reports, one covering phishing and the other, VPN risk. The team published the inner workings of Mustang Panda, analyzed HijackLoader, and examined a critical remote code execution (RCE) vulnerability in Langflow, an open-source platform for composing AI-driven workflows.
## Zscaler ThreatLabz 2025 P
Recorded Future
Langflow: CVE-2025-3248: Active Exploitation
blogs_recorded_future·CVSS 9.8
CVE-2025-3248 [CRITICAL] Langflow: CVE-2025-3248: Active Exploitation
# Langflow: CVE-2025-3248: Active Exploitation
## Langflow: CVE-2025-3248
### What is CVE-2025-3248?
CVE-2025-3248 is a critical missing authentication vulnerability affecting Langflow versions before 1.3.0. Langflow is a widely used tool for building and deploying AI-powered agents and workflows. On May 5, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2025-3248 to its Known Exploited Vulnerabilities (KEV) catalog. Exploiting the vulnerability can allow remote, unauthenticated attackers to send crafted HTTP requests and execute arbitrary code by abusing Python decorators and default arguments.
Given the high risk associated with this vulnerability and ongoing exploitation attempts, it is imperative to prioritize patching CVE-2025-3248 on your compa
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Langflow: CVE-2025-3248: Active Exploitation
blogs_recorded_future·CVSS 9.8
CVE-2025-3248 [CRITICAL] Langflow: CVE-2025-3248: Active Exploitation
## Langflow: CVE-2025-3248: Active Exploitation
## Langflow: CVE-2025-3248
## What is CVE-2025-3248?
CVE-2025-3248 is a critical missing authentication vulnerability affecting Langflow versions before 1.3.0. Langflow is a widely used tool for building and deploying AI-powered agents and workflows. On May 5, 2025, the US Cybersecurity and Infrastructure Security Agency ( CISA ) also added CVE-2025-3248 to its Known Exploited Vulnerabilities (KEV) catalog . Exploiting the vulnerability can allow remote, unauthenticated attackers to send crafted HTTP requests and execute arbitrary code by abusing Python decorators and default arguments.
Given the high risk associated with this vulnerability and ongoing exploitation attempts, it is imperative to prioritize patching CVE-2025-3248 on your co
Wiz
CVE-2026-33017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33017 [CRITICAL] CVE-2026-33017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33017 :
Homebrew vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly acc
https://github.com/langflow-ai/langflow/pull/6911https://github.com/langflow-ai/langflow/releases/tag/1.3.0https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/https://www.vulncheck.com/advisories/langflow-unauthenticated-rcehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248
2025-04-07
Published
2025-05-05
Added to CISA KEV
Exploited in the wild