CVE-2025-3248: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99713%
CWE
Published
4/7/2025
Updated
4/10/2025
KEV Status
Yes
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
langflow | pip | < 1.3.0 | 1.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The core vulnerability exists in two layers: 1) The API endpoint handler (post_validate_code) lacked authentication, allowing unauthorized access. 2) The validation logic (validate_code) used unsafe exec() with user-controlled input. The patches add auth to the endpoint but don't modify the underlying code execution mechanism, indicating validate_code remains the injection point when called without proper auth checks. Both functions would appear in exploitation stack traces - the endpoint handler from HTTP request processing, and validate_code during code execution.
Vulnerable functions
langflow.api.v1.validate.post_validate_code
src/backend/base/langflow/api/v1/validate.py
The original unauthenticated endpoint handler processed untrusted code input without authorization checks. The addition of current_user parameter in patch shows previous lack of authentication.
langflow.utils.validate.validate_code
src/backend/base/langflow/utils/validate.py
Directly processes untrusted code input using Python's exec function with insufficient validation, enabling code injection via decorators/default arguments