NVD - CVE-2025-3248 (original) (raw)
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
CNA: VulnCheck
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name | Date Added | Due Date | Required Action |
|---|---|---|---|
| Langflow Missing Authentication Vulnerability | 05/05/2025 | 05/26/2025 | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
Known Affected Software Configurations Switch to CPE 2.2
Change History
10 change records found show changes
Modified Analysis by NIST 11/06/2025 8:57:48 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference Type | VulnCheck: https://www.vulncheck.com/advisories/langflow-unauthenticated-rce Types: Third Party Advisory |
CVE Modified by VulnCheck 11/04/2025 6:15:37 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.vulncheck.com/advisories/langflow-unauthenticated-rce |
Modified Analysis by NIST 10/31/2025 5:59:47 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference Type | CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-3248 Types: US Government Resource |
CVE Modified by CISA-ADP 10/21/2025 7:17:02 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-3248 |
CVE Modified by CISA-ADP 10/21/2025 4:20:36 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Removed | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-3248 |
CVE Modified by CISA-ADP 10/21/2025 3:21:17 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-3248 |
Initial Analysis by NIST 5/07/2025 12:24:00 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |
| Added | CWE | CWE-94 | |
| Added | CWE | CWE-306 | |
| Added | CPE Configuration | OR *cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* versions up to (excluding) 1.3.0 | |
| Added | Reference Type | VulnCheck: https://github.com/langflow-ai/langflow/pull/6911 Types: Patch | |
| Added | Reference Type | VulnCheck: https://github.com/langflow-ai/langflow/releases/tag/1.3.0 Types: Release Notes | |
| Added | Reference Type | VulnCheck: https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/ Types: Exploit, Third Party Advisory |
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 5/05/2025 9:00:02 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Date Added | 2025-05-05 | |
| Added | Due Date | 2025-05-26 | |
| Added | Required Action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | |
| Added | Vulnerability Name | Langflow Missing Authentication Vulnerability |
CVE Modified by VulnCheck 4/09/2025 3:15:50 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/ |
New CVE Received from VulnCheck 4/07/2025 11:15:44 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. | |
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |
| Added | CWE | CWE-306 | |
| Added | Reference | https://github.com/langflow-ai/langflow/pull/6911 | |
| Added | Reference | https://github.com/langflow-ai/langflow/releases/tag/1.3.0 |