Critical vulnerability reported in Langflow AI Builder enabling unauthenticated remote code execution
Take action: If you are using Langflow, patch ASAP! In the meantime isolate it from the internet and make it accessible only from trusted networks, but don't stop there, because the vulnerable endpoint is trivial to be compromised if one can reach it. And either a malicious attacker or a disgruntled employee will find it if you leave it unpatched.
Learn More
A critical security vulnerability has been discovered in Langflow, a popular open-source tool used for building agentic AI workflows. Security researchers from Horizon3.ai identified and reported the flaw that allows unauthenticated remote attackers to fully compromise Langflow servers.
Langflow is a Python-based web application that provides a visual interface for building AI-driven agents and workflows. The platform has gained significant popularity with over 50,000 stars on GitHub and is backed by major companies including DataStax and IBM.
The vulnerability is tracked as CVE-2025-3248 (CVSS score 9.8). The flaw exists in an unauthenticated API endpoint (/api/v1/validate/code) that uses Python's exec() function on user-supplied input and has been present in the codebase for approximately two years, affecting most if not all versions prior to 1.3.0.
The vulnerability allows attackers to eecute arbitrary code on the server remotely, establish reverse shells to gain persistent access, extract sensitive data including authentication credentials and potentially gain full control of the affected server
Security researchers have documented two distinct techniques for exploiting this vulnerability:
Python Decorator Abuse: Attackers can insert malicious code within a function's decorator, causing arbitrary code execution when the function is defined. For example
@exec("import os; os.system('echo Vulnerable')") def example_func(): passFunction Default Arguments: Attackers can leverage Python's function default arguments to execute malicious expressions during function definition.
def foo(cmd=exec("__import__('subprocess').check_output(['env'])")): pass
Both techniques allow for interactive exploitation, enabling attackers to manipulate servers in real-time.
Exploitation occurs when an attacker sends these payloads to the vulnerable endpoint via a POST request:
POST /api/v1/validate/code HTTP/1.1 Host: vuln-test-langflow.example.com Content-Type: application/json Content-Length: 172 { "code": "@exec(\"with open('hacked.txt', 'w') as f: f.write('The server has been compromised')\")\ndef foo():\n pass" }According to Censys scans, over 500 Langflow instances are currently exposed on the internet. Without proper mitigation, these systems face risks of data breaches, theft of sensitive information, internal network compromise, persistent server access facilitating further attacks, potential ransomware deployment or lateral movement within networks
The vulnerability has been patched in Langflow version 1.3.0, released on March 31, 2025. Security experts strongly recommend users to upgrade to Langflow 1.3.0 or later and restrict network access to Langflow instances through firewalls or VPCs or place Langflow behind strong authentication mechanisms like SSO
