Actively exploited in the wild
Langflow Missing Authentication Vulnerability
Langflow - Langflow · Listed in the CISA KEV since 2025-05-05. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2025-3248
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Very high risk100th percentile - higher than 100% of all known CVEs
Summary
Langflow versions prior to 1.3.0 are vulnerable to code injection via the /api/v1/validate/code endpoint. An unauthenticated remote attacker can execute arbitrary code by sending crafted HTTP requests.
Risk Assessment
The risk includes full server compromise, data theft, or service disruption without requiring authentication.
Recommendation
Upgrade Langflow to version 1.3.0 or later immediately. If upgrading is not possible, restrict access to the /api/v1/validate/code endpoint from untrusted networks.
Original NVD description (English source)
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

