A recently disclosed vital safety flaw impacting the open-source Langflow platform has been added to the Recognized Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Safety Company (CISA), citing proof of energetic exploitation.
The vulnerability, tracked as CVE-2025-3248, carries a CVSS rating of 9.8 out of a most of 10.0.
“Langflow comprises a lacking authentication vulnerability within the /api/v1/validate/code endpoint that enables a distant, unauthenticated attacker to execute arbitrary code by way of crafted HTTP requests,” CISA mentioned.
Particularly, the endpoint has been discovered to improperly invoke Python’s built-in exec() operate on user-supplied code with out satisfactory authentication or sandboxing, thereby permitting attackers to execute arbitrary instructions on the server.
The shortcoming, which impacts most variations of the favored instrument, has been addressed in version 1.3.0 launched on March 31, 2025. Horizon3.ai has been credited with discovering and reporting the flaw in February.
In accordance with the corporate, the vulnerability is “easily exploitable” and permits unauthenticated distant attackers to take management of Langflow servers. A proof-of-concept (PoC) exploit has since been made publicly available as of April 9, 2025, by different researchers.
Knowledge from assault floor administration platform Censys shows that there are 466 internet-exposed Langflow cases, with a majority of them concentrated in the USA, Germany, Singapore, India, and China.
It is at present not recognized how the vulnerability is being abused in real-world assaults, by whom, and for what goal. Federal Civilian Government Department (FCEB) companies have time till Might 26, 2025, to use the fixes.
“CVE-2025-3248 highlights the dangers of executing dynamic code with out safe authentication and sandboxing measures,” Zscaler noted final month. “This vulnerability serves as a vital reminder for organizations to strategy code-validation options with warning, notably in functions uncovered to the web.”
Source link