RCE flaw in tool for building AI agents exploited by attackers (CVE-2025-3248)

A missing authentication vulnerability (CVE-2025-3248) in Langflow, a web application for building AI-driven agents, is being exploited by attackers in the wild, CISA has confirmed by adding it to its Known Exploited Vulnerabilities (KEV) catalog.

About CVE-2025-3248

Langflow is an open-source, Python-based app that allows users to create AI agents (e.g., chatbots assistants) and workflows without actually writing any code. Instead, they simply drag, drop and chain LLM components and add the neccessary inputs.

Unfortunately, as Horizon3.ai researchers discovered, all Langflow versions before version 1.3.0 have an unauthenticated API endpoint (/api/v1/validate/code) that accepts any user input and runs it without properly sanitizing it or sandboxing it.

CVE-2025-3248 allows remote, unauthenticated attackers to execute arbitrary code on the vulnerable instance by sending a crafted HTTP request (with a malicious payload) to the endpoint. Attackers may use it to do all sorts of things: plant reverse shells / backdoors, retrieve the content of specific files, fetch malware, and more.

The vulnerability was reported in February 2025 by Horizon3.ai researchers and was patched in Langflow 1.3.0, released in late March. After another researcher published a proof-of-concept (PoC) exploit on April 9, Horizon3.ai followed by publishing their own.

“The patch puts the vulnerable endpoint behind authentication. Technically this vulnerability can still be exploited to escalate privileges from a regular user to a Langflow superuser, but that is already possible without this vulnerability too,” they noted.

Exploitation attempts

Censys shows around 470 internet-facing Langflow instances, down from 500+ it detected in early April. Whether these have been upgraded to the fixed version is unknown.

It’s also good to point out that, according to Horizon3.ai researchers, most internet-exposed Langlow instances have authentication enabled, though that doesn’t help to prevent exploitation in this case.

Two days after the publishing of the PoCs, SANS ISC’s honeypots started seeing scans for the vulnerability, some of which attempted to grad a file containing passwords, suggesting reconnaissance and potential exploitation activities.

The observed exploit attempts originated from TOR exit nodes, noted Johannes B. Ullrich, Dean of Research at the SANS Technology Institute.

Whether the Cybersecurity and Information Security Agency added the vulnerability to its KEV catalog based on this report or another that has yet to be made public is unknown at this time.

Action required

Organizations using Langflow in their AI development workflows are advised to upgrade to version 1.3.0 or 1.4.0 (released today).

“As a general practice we recommend caution when exposing any recently developed AI tools to the Internet,” Horizon3.ai researchers advised.

“If you must expose it externally, consider putting it an isolated [virtual private cloud] and/or behind [single sign-on]. It only takes one errant/shadow IT deployment of these tools on some cloud instance to have a breach on your hands.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!