Critical Langflow authentication vulnerability actively exploited
Take action: If you needed another reason to patch and isolate Langflow, how about being hacked in real time? Don't delay, patch ASAP! In the meantime isolate it from the internet and make it accessible only from trusted networks!
Learn More
CISA is reporting active exploitation of a critical Langflow vulnerability.
The vulnerability is tracked as CVE-2025-3248 (CVSS score 9.8), allows unauthenticated remote attackers to execute arbitrary code on vulnerable servers running this popular open-source AI workflow platform.
The vulnerability exists in the /api/v1/validate/code endpoint which improperly invokes Python's built-in exec() function on user-supplied code without adequate authentication or sandboxing.
According to Censys, an attack surface management platform, approximately 466 internet-exposed Langflow instances have been identified globally, with most concentrated in the United States, Germany, Singapore, India, and China. A proof-of-concept (PoC) exploit was publicly released on April 9, 2025, increasing the risk of active attacks.
The vulnerability affects most versions of Langflow prior to version 1.3.0, which was released on March 31, 2025.
Organizations using affected versions should immediately upgrade to Langflow 1.3.0 or implement network-level protections to restrict access to vulnerable endpoints.
Update - as of 17th of June 2025, Trend Micro Research reports that they have identified an active exploitation campaign exploiting this flaw to deliver the Flodrix botnet, enabling attackers to achieve full system compromise, launch distributed denial-of-service attacks, and potentially exfiltrate sensitive data from affected systems.
