CVE-2025-3248: Langflow Unauth RCE

Q: Is CVE-2025-3248 actively exploited?

Yes, CVE-2025-3248 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Mon May 05 2025 00:00:00 GMT+0000 (Coordinated Universal Time).

Q: How to fix CVE-2025-3248?

1. Patch immediately: upgrade langflow to ≥1.3.0 and langflow-base to ≥0.3.0. 2. If patching is delayed: block or restrict /api/v1/validate/code at the WAF/reverse proxy; require network-level authentication (VPN, IP allowlisting). 3. Rotate all API keys and credentials stored in or accessible from the Langflow environment. 4. Audit access logs for unexpected POST requests to /api/v1/validate/code — any such traffic is an IOC. 5. Treat unpatched internet-exposed instances as compromised and initiate IR procedures. 6. Scan internal deployments via Shodan/Censys query for exposed instances before attackers do.

Q: What systems are affected by CVE-2025-3248?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow builders, agent frameworks, RAG pipelines, AI development platforms, model serving.

Q: What is the CVSS score for CVE-2025-3248?

CVE-2025-3248 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 99.96%.

CISO Take

Patch Langflow to 1.3.0 immediately — this is an unauthenticated RCE with CVSS 9.8 confirmed actively exploited in the wild (CISA KEV). Any internet-exposed Langflow instance should be treated as compromised until verified. If patching is not immediate, block /api/v1/validate/code at the WAF/firewall and restrict access to trusted IPs only.

What is the risk?

Maximum risk. CVSS 9.8 with network-accessible, zero-authentication, zero-user-interaction attack vector. EPSS of 0.925 places this in the top 1% of likely-exploited vulnerabilities. CISA KEV listing confirms active exploitation in the wild. Langflow deployments are frequently internet-exposed by design, making this trivially exploitable at scale with no barrier to entry for attackers.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	< 1.3.0	`1.3.0`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	< 0.3.0	`0.3.0`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

100.0%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

CISA KEV

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed) — May 2025

✓ CISA SSVC: Active exploitation

✓ Weaponized Metasploit module (exploit/multi/http/langflow_unauth_rce_cve_2025_3248)

○ Exploit published in Exploit-DB

○ Nuclei detection template available

○ EPSS exploit prediction: 100%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch immediately: upgrade langflow to ≥1.3.0 and langflow-base to ≥0.3.0.
If patching is delayed: block or restrict /api/v1/validate/code at the WAF/reverse proxy; require network-level authentication (VPN, IP allowlisting).
Rotate all API keys and credentials stored in or accessible from the Langflow environment.
Audit access logs for unexpected POST requests to /api/v1/validate/code — any such traffic is an IOC.
Treat unpatched internet-exposed instances as compromised and initiate IR procedures.
Scan internal deployments via Shodan/Censys query for exposed instances before attackers do.

What does CISA's SSVC say?

Decision Act

Exploitation active

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.8.4 - AI System Security and Resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-3248?

Patch Langflow to 1.3.0 immediately — this is an unauthenticated RCE with CVSS 9.8 confirmed actively exploited in the wild (CISA KEV). Any internet-exposed Langflow instance should be treated as compromised until verified. If patching is not immediate, block /api/v1/validate/code at the WAF/firewall and restrict access to trusted IPs only.

Is CVE-2025-3248 actively exploited?

Yes, CVE-2025-3248 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Mon May 05 2025 00:00:00 GMT+0000 (Coordinated Universal Time).

How to fix CVE-2025-3248?

1. Patch immediately: upgrade langflow to ≥1.3.0 and langflow-base to ≥0.3.0. 2. If patching is delayed: block or restrict /api/v1/validate/code at the WAF/reverse proxy; require network-level authentication (VPN, IP allowlisting). 3. Rotate all API keys and credentials stored in or accessible from the Langflow environment. 4. Audit access logs for unexpected POST requests to /api/v1/validate/code — any such traffic is an IOC. 5. Treat unpatched internet-exposed instances as compromised and initiate IR procedures. 6. Scan internal deployments via Shodan/Censys query for exposed instances before attackers do.

What systems are affected by CVE-2025-3248?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow builders, agent frameworks, RAG pipelines, AI development platforms, model serving.

What is the CVSS score for CVE-2025-3248?

CVE-2025-3248 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 99.96%.

What is the AI security impact?

Affected AI Architectures

LLM workflow buildersagent frameworksRAG pipelinesAI development platformsmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03, LLM06

What are the technical details?

Original Advisory

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Exploitation Scenario

An attacker identifies internet-exposed Langflow instances via Shodan or Censys (no auth required to query). Without any credentials, they send a crafted HTTP POST to /api/v1/validate/code containing a Python payload wrapped in exec(). Langflow's code validation endpoint executes the payload server-side, granting an immediate reverse shell. From there, the attacker extracts all LLM API keys from environment variables and config files, accesses connected vector stores and PostgreSQL databases, and pivots to cloud provider APIs to fully compromise the broader AI infrastructure. Total time from identification to shell: under five minutes.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-306 Missing Authentication for Critical Function CWE-306 Missing Authentication for Critical Function

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.