A newly revealed critical vulnerability in the Langflow platform, identified as CVE-2025-3248, has been added to the U.S. CISA’s Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. With a CVSS score of 9.8, this bug poses a severe risk to organizations running exposed Langflow instances.
Langflow is an open-source tool that helps developers build applications using large language models. But its popularity has now made it a target. The flaw affects most versions of the platform and has been fixed in version 1.3.0, released on March 31, 2025.
Flaw Allows Remote Code Execution Without Authentication
The vulnerability resides in the /api/v1/validate/code endpoint, where Langflow’s backend fails to authenticate incoming requests properly. The issue arises from unsafe use of Python’s built-in exec() function, which executes arbitrary code passed to it — in this case, from unauthenticated remote users.
CISA’s alert warns that attackers can exploit this flaw to execute arbitrary commands on the server by sending specially crafted HTTP requests. Because there is no authentication or sandboxing, exploitation requires minimal effort and no prior access to the system.
Cybersecurity firm Horizon3.ai, which discovered the vulnerability in February 2025, described it as “easily exploitable”. They also noted that any exposed Langflow server could be taken over by a remote attacker with a few lines of code.
Making matters worse, a proof-of-concept (PoC) exploit was released publicly on April 9, 2025, increasing the likelihood of widespread attacks. Since then, researchers from the SANS Technology Institute have observed real-world exploit attempts against their honeypots.
CISA’s directive requires all Federal Civilian Executive Branch (FCEB) agencies to apply the patch by May 26, 2025. While CISA’s mandate only applies to federal systems, all Langflow users are urged to upgrade immediately.
Over 400 Langflow Servers Exposed Online
According to Censys, a platform that tracks internet-exposed systems, at least 466 Langflow instances are currently accessible online. These are primarily located in the U.S., Germany, Singapore, India, and China — making organizations in these regions particularly vulnerable.
Although specific attack campaigns exploiting CVE-2025-3248 have not been publicly attributed to any group, the presence of PoC code and rising activity in honeypots suggest the flaw is actively being used in cyberattacks.
Security firm Zscaler emphasized the dangers posed by dynamic code execution in production environments. “CVE-2025-3248 highlights the risks of executing dynamic code without secure authentication and sandboxing measures,” the company said in a recent blog post. “This vulnerability serves as a critical reminder for organizations to approach code-validation features with caution, particularly in applications exposed to the internet.”
Langflow’s maintainers have acknowledged the issue and have addressed it in version 1.3.0 by implementing proper authentication and input validation. Organizations using previous versions must upgrade or risk server compromise.
Even after patching, security teams are advised to audit access logs and check for signs of compromise, especially if systems were exposed before March 31.
