AI Threat Alert

CVE-2025-3248

GHSA-rvqx-wpfh-mfx7 CRITICAL ACTIVELY EXPLOITED
Published April 7, 2025

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langflow pip < 1.3.0 1.3.0
langflow pip No patch
langflow-base pip < 0.3.0 0.3.0

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
92.5%
chance of exploitation in 30 days
KEV Status
Actively Exploited
Sophistication
N/A

Recommended Action

Patch available

Update langflow to version 1.3.0

Update langflow-base to version 0.3.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Weaknesses (CWE)

CWE-306 Primary CWE-94 Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-306

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 7, 2025
Last Modified
November 6, 2025
First Seen
April 7, 2025
Back to Threat Feed