CVE Catalog

Actively exploited in the wild

Langflow Missing Authentication Vulnerability

Langflow - Langflow · Listed in the CISA KEV since 2025-05-05. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2025-3248

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
99.99%

100th percentile - higher than 100% of all known CVEs

Summary

Langflow versions prior to 1.3.0 are vulnerable to code injection via the /api/v1/validate/code endpoint. An unauthenticated remote attacker can execute arbitrary code by sending crafted HTTP requests.

Risk Assessment

The risk includes full server compromise, data theft, or service disruption without requiring authentication.

Recommendation

Upgrade Langflow to version 1.3.0 or later immediately. If upgrading is not possible, restrict access to the /api/v1/validate/code endpoint from untrusted networks.

Original NVD description (English source)

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS