Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence
May 06, 2025
Cybersecurity / Vulnerability
A recently disclosed critical security flaw impacting the open-source Langflow platform has been added to the Known Exploited Vulnerabilities ( KEV ) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-3248 , carries a CVSS score of 9.8 out of a maximum of 10.0. "Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests," CISA said. Specifically, the endpoint has been found to improperly invoke Python's built-in exec() function on user-supplied code without adequate authentication or sandboxing, thereby allowing attackers to execute arbitrary commands on the server. The shortcoming, which affects most versions of the popular tool, has been addressed in version 1.3.0 released on March 31, 2025. Horizon3.ai has been credited with...
