CVE-2025-3248 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2025-3248 actively exploited?

Yes, CVE-2025-3248 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Mon May 05 2025 00:00:00 GMT+0000 (Coordinated Universal Time).

Q: How to fix CVE-2025-3248?

1. Patch immediately: upgrade langflow to ≥1.3.0 and langflow-base to ≥0.3.0. 2. If patching is delayed: block or restrict /api/v1/validate/code at the WAF/reverse proxy; require network-level authentication (VPN, IP allowlisting). 3. Rotate all API keys and credentials stored in or accessible from the Langflow environment. 4. Audit access logs for unexpected POST requests to /api/v1/validate/code — any such traffic is an IOC. 5. Treat unpatched internet-exposed instances as compromised and initiate IR procedures. 6. Scan internal deployments via Shodan/Censys query for exposed instances before attackers do.

Q: What systems are affected by CVE-2025-3248?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow builders, agent frameworks, RAG pipelines, AI development platforms, model serving.

Q: What is the CVSS score for CVE-2025-3248?

CVE-2025-3248 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 91.81%.

CISO Take

Patch Langflow to 1.3.0 immediately — this is an unauthenticated RCE with CVSS 9.8 confirmed actively exploited in the wild (CISA KEV). Any internet-exposed Langflow instance should be treated as compromised until verified. If patching is not immediate, block /api/v1/validate/code at the WAF/firewall and restrict access to trusted IPs only.

Risk Assessment

Maximum risk. CVSS 9.8 with network-accessible, zero-authentication, zero-user-interaction attack vector. EPSS of 0.925 places this in the top 1% of likely-exploited vulnerabilities. CISA KEV listing confirms active exploitation in the wild. Langflow deployments are frequently internet-exposed by design, making this trivially exploitable at scale with no barrier to entry for attackers.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow	pip	< 1.3.0	`1.3.0`
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow-base	pip	< 0.3.0	`0.3.0`
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

91.8%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

CISA KEV

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed) — May 2025

✓ CISA SSVC: Active exploitation

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 92%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch immediately: upgrade langflow to ≥1.3.0 and langflow-base to ≥0.3.0.
If patching is delayed: block or restrict /api/v1/validate/code at the WAF/reverse proxy; require network-level authentication (VPN, IP allowlisting).
Rotate all API keys and credentials stored in or accessible from the Langflow environment.
Audit access logs for unexpected POST requests to /api/v1/validate/code — any such traffic is an IOC.
Treat unpatched internet-exposed instances as compromised and initiate IR procedures.
Scan internal deployments via Shodan/Censys query for exposed instances before attackers do.

CISA SSVC Assessment

Decision Act

Exploitation active

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.8.4 - AI System Security and Resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-3248?

Patch Langflow to 1.3.0 immediately — this is an unauthenticated RCE with CVSS 9.8 confirmed actively exploited in the wild (CISA KEV). Any internet-exposed Langflow instance should be treated as compromised until verified. If patching is not immediate, block /api/v1/validate/code at the WAF/firewall and restrict access to trusted IPs only.

Is CVE-2025-3248 actively exploited?

Yes, CVE-2025-3248 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Mon May 05 2025 00:00:00 GMT+0000 (Coordinated Universal Time).

How to fix CVE-2025-3248?

1. Patch immediately: upgrade langflow to ≥1.3.0 and langflow-base to ≥0.3.0. 2. If patching is delayed: block or restrict /api/v1/validate/code at the WAF/reverse proxy; require network-level authentication (VPN, IP allowlisting). 3. Rotate all API keys and credentials stored in or accessible from the Langflow environment. 4. Audit access logs for unexpected POST requests to /api/v1/validate/code — any such traffic is an IOC. 5. Treat unpatched internet-exposed instances as compromised and initiate IR procedures. 6. Scan internal deployments via Shodan/Censys query for exposed instances before attackers do.

What systems are affected by CVE-2025-3248?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow builders, agent frameworks, RAG pipelines, AI development platforms, model serving.

What is the CVSS score for CVE-2025-3248?

CVE-2025-3248 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 91.81%.

Technical Details

NVD Description

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Exploitation Scenario

An attacker identifies internet-exposed Langflow instances via Shodan or Censys (no auth required to query). Without any credentials, they send a crafted HTTP POST to /api/v1/validate/code containing a Python payload wrapped in exec(). Langflow's code validation endpoint executes the payload server-side, granting an immediate reverse shell. From there, the attacker extracts all LLM API keys from environment variables and config files, accesses connected vector stores and PostgreSQL databases, and pivots to cloud provider APIs to fully compromise the broader AI infrastructure. Total time from identification to shell: under five minutes.