Langflow /api/v1/validate/code command injection

Added: 04/11/2025
CVE: CVE-2025-3248

Background

Langflow is a low-code tool for building AI agents and workflows.

Problem

A command injection vulnerability in the /api/v1/validate/code API endpoint could allow a remote unauthenticated attacker to execute arbitrary commands by sending a specially crafted HTTP request.

Resolution

Upgrade to Langflow 1.3.0 or higher.

References

https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

Platforms

Linux

Back to exploit index