Tool Abuse / Excessive AgencyCritical

Langflow unauthenticated RCE (CVE-2025-3248)

April 2025  ·  Langflow

What happened

Langflow's /api/v1/validate/code endpoint passed user-supplied code to Python's exec() with no authentication or sandboxing, giving remote unauthenticated attackers full code execution on the AI-agent-building platform (CVE-2025-3248, CVSS 9.8). It was mass-exploited by the Flodrix botnet and added to CISA's Known Exploited Vulnerabilities catalog on May 5, 2025.

Root cause

An unauthenticated validation endpoint executed arbitrary submitted code, exposing every internet-facing Langflow instance to pre-auth remote code execution.

Fix / outcome

Patched in Langflow 1.3.0, which requires authentication on the endpoint. Upgrade and restrict network exposure.

Sources

Zscaler ThreatLabz

Learn this attack class

This incident is an example of Tool Abuse / Excessive Agency. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database