The US cybersecurity agency CISA on Monday issued an alert on a recent Langflow vulnerability being exploited in the wild.
A Python-based, LLM agnostic AI builder, Langflow is a customizable visual framework that supports the development of multi-agent and retrieval augmented generation (RAG) applications.
Tracked as CVE-2025-3248 (CVSS score of 9.8) and disclosed in early April, the exploited issue is described as a code injection issue in a code validation endpoint. It was resolved in Langflow version 1.3.0.
“A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code,” a NIST advisory reads.
On April 9, Horizon3.ai published technical details on the security defect, warning that proof-of-concept (PoC) exploit code targeting it had already been released and that it could be exploited to take full control of vulnerable servers.
“The vulnerable code is present in the earliest versions of Langflow dating back two years, and from our testing it appears most, if not all, versions prior to 1.3.0 are exploitable,” the cybersecurity firm warned, noting that it found multiple paths of exploiting the bug for remote code execution.
It also warned that the fix introduced in version 1.3.0 added an authentication requirement, but did not fully eliminate the flaw. Restricting network access to the framework should eliminate the risk of exploitation.
“Technically this vulnerability can still be exploited to escalate privileges from a regular user to a Langflow superuser, but that is already possible without this vulnerability too. We’re not really clear why Langflow distinguishes between superusers and regular users when all regular users can execute code on the server by design,” Horizon3.ai said.
Censys data shows that there are roughly 460 internet-accessible Langflow hosts. However, it is unclear how many of these are vulnerable.
On April 5, CISA added CVE-2025-3248 to the Known Exploited Vulnerabilities (KEV) catalog, alerting federal agencies of its in-the-wild targeting.
The warning comes roughly a month after SANS’s Johannes Ullrich noticed a spike in hits to the vulnerable Langflow endpoint, fueled by Horizon3.ai’s report and the publicly available PoC code.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until May 26 to apply patches for the security defect. However, all organizations are advised to prioritize the patching of the vulnerabilities in CISA’s KEV list.
Related: Critical Commvault Vulnerability in Attacker Crosshairs
Related: PoC Published for Exploited SonicWall Vulnerabilities
Related: CISA Warns of Exploited Broadcom, Commvault Vulnerabilities
Related: CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days